This document discusses various security topics for .NET applications including cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), clickjacking, and secure file handling. It provides definitions, examples, and mitigation strategies for each topic. Code examples are shown for XSS defenses, SQL injection defenses, CSRF defenses, clickjacking defenses, and secure file uploads. The document also includes additional tips and resources for developing secure .NET applications.
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
Owasp top 10 web application security hazards part 2Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
For the start-ups that are already using Node.js in their web application, even you can implement these top 24 security tips to keep your Node.js app free from attacks.
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
Owasp top 10 web application security hazards part 2Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
For the start-ups that are already using Node.js in their web application, even you can implement these top 24 security tips to keep your Node.js app free from attacks.
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
What is it?
How to prevent?
How to test my application web?
what say OWASP about it
All about SQL injection and Cross Site Scripting XSS
Tools to test our application web
Rules to prevent attacks from Hackers on our web
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
“Are you one of them, who thinks that Cross-Site Scripting is just for some errors or pop-ups on the screen?” Yes?? Then today in this article, you’ll see how an XSS suffering web-page is not only responsible for the defacement of the web-application but also, it could disrupt a visitor’s privacy by sharing the login credentials or his authenticated cookies to an attacker without his/her concern.
logout.php Session Data after Logout Username Email . $_.docxsmile790243
logout.php
Session Data after Logout
Username Email " . $_SESSION['appusername'] . "
" .
"" . $_SESSION['appemail'] . "
";
?>
ZAP Scanning Report for loginAuthReport.odt
ZAP Scanning Report
Summary of Alerts
Risk Level
Number of Alerts
High
2
Medium
1
Low
5
Informational
3
Alert Detail
High (Warning)
Cross Site Scripting (Reflected)
Description
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
URL
http://localhost/week4/authcheck.php
Parameter
username
Attack
</td><script>alert(1);</script><td>
Solution
Phase ...
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
3. Definitions
Cross-site Scripting (XSS)
Occurs when a web application gathers malicious data from a user
(untrusted source).The data is usually gathered in the form of a
hyperlink or form submission, database, or cookie which contains
malicious content within it.
Malicious data is generally in the form of Javascript or HTML
Types are DOM-based, “stored” (persistent) and “reflected” (non-
persistent)
5. Mitigations
Cross-site Scripting (XSS)
Explicitly set character set encoding (meta charset)
Identify special characters
Encode all dynamic output (htmleditformat)
Filter special characters in dynamic elements (blacklist –
not preferable)
Stronger data validation (whitelist/positive – preferable)
Never count on client side validation (it can be turned
off)
Use HttpOnly cookies
Use secure cookies whenever possible
No one thing will mitigate all threats, it will require use
of multiple techniques
8. Definitions
SQL Injection (fromWikipedia)
Technique often used to attack data driven applications by including
portions of SQL statements in an entry field in an attempt to get the
website to pass a newly formed rogue SQL command to the
database (e.g., dump the database contents to the attacker).
The vulnerability happens when user input is either incorrectly
filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly
executed.
SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.
In operational environments, it has been noted that applications
experience an average of 71 attempts an hour
9. Examples
SQL Injection
http://en.wikipedia.org/wiki/SQL_injection#Examples
http://www.mydomain.com/products/products.asp?productid=123
or 1=1
http://www.mydomain.com/products/products.asp?productid=123;
DROP
TABLE Products
10. Mitigations
SQL Injection
Never trust input data.Validate everything
Avoid dynamic SQL built with string concatenation
Prefer stored procedures 0r ORM
If dynamic SQL, used parameterized commands
Sensitive/confidential data should be encrypted
Limit connection privilege (no DBO or SA)
13. Definition
Cross-site Request Forgery (CSRF)
Attack which forces an end user to execute unwanted actions on a
web application in which he/she is currently authenticated.
Embed HTML in malicious site that preys on users authenticated on
other sites.
Submitting unauthorized data to your application from other servers
(untrusted)
Not easy to make a successful attack, but that doesn’t mean we
shouldn’t protect ourselves
14. Examples
Cross-site Request Forgery (CSRF)
<img
src="http://bank.example/withdraw?account=bob&amount=1000000&for=ma
llory">
Million-dollar dream home example
15. Mitigation
General mitigation strategy
Per request tokens (nonce) to url/form
Referrer checking (less desirable – spoofing)
16. OtherGeneralPrinciplesThatApply
Good practices
Log detected exploit attempts and notify someone
Lock out attacker
Be careful about exposing error data, it can be extremely helpful to
an attacker
18. ClickJacking
OWASP Definition:
Clickjacking, also known as a "UI redress attack", is when an attacker
uses multiple transparent or opaque layers to trick a user into
clicking on a button or link on another page when they were
intending to click on the the top level page.Thus, the attacker is
"hijacking" clicks meant for their page and routing them to other
another page, most likely owned by another application, domain, or
both.
Using a similar technique, keystrokes can also be hijacked.With a
carefully crafted combination of stylesheets, iframes, and text
boxes, a user can be led to believe they are typing in the password
to their email or bank account, but are instead typing into an
invisible frame controlled by the attacker.
19. Examples
For example, imagine an attacker who builds a web site that has a button on it
that says "click here for a free iPod". However, on top of that web page, the
attacker has loaded an iframe with your mail account, and lined up exactly the
"delete all messages" button directly on top of the "free iPod" button.The
victim tries to click on the "free iPod" button but instead actually clicked on
the invisible "delete all messages" button. In essence, the attacker has
"hijacked" the user's click, hence the name "Clickjacking".
One of the most notorious examples of Clickjacking was an attack against the
Adobe Flash plugin settings page. By loading this page into an invisible
iframe, an attacker could trick a user into altering the security settings of
Flash, giving permission for any Flash animation to utilize the computer's
microphone and camera.
Clickjacking also made the news in the form of aTwitter worm.This
clickjacking attack convinced users to click on a button which caused them to
re-tweet the location of the malicious page, and propagated massively.
Recently, clickjacking attacks abusing Facebook's "Like" functionality has
grown significantly. Attackers can trick logged-in Facebook users to arbitrarily
like fan pages, links, groups, etc
21. Defenses –
Coding against
Javascript code to make sure current frame is the top level window
(Ok, but not great, not going to show it)
Browser response headers (Good, and will get better)
22. Response
Headers
X-FRAME-OPTIONS
Response header that newer browsers recognize, which controls
framing behavior
https://www.owasp.org/index.php/Clickjacking#Defending_with_
response_headers
Be sure to read the limitations, specifically the stuff about proxies,
and know that not all options are currently supported (ALLOW-
FROM only IE8+).
Code example (ASP.NET).
27. Odds & Ends -
Tips
Be careful in what you include in error messages that get thrown
to a browser
Sanitize log input (don’t XSS your log database)
Cigital SecureAssist plugin forVS.
Visual Studio Code Analysis (general code quality issues)
I group these two topics because most of the mitigation actions are the same, though the threat itself is different.
DOM-based rely on locally stored web pages.
Stored attacks are stored in the database and retrieved in output to users.
Reflected attacks are where the injected code is reflected off of the webserver, and usually delivered in an email (Phishing) or off of another server.
Talk about the cheat sheet.
Talk about the one from the PEN test.
Examples may seem silly, but if you can popup an alert it can be a very deep rabbit hole
I group these two topics because most of the mitigation actions are the same, though the threat itself is different.
DOM-based rely on locally stored web pages.
Stored attacks are stored in the database and retrieved in output to users.
Reflected attacks are where the injected code is reflected off of the webserver, and usually delivered in an email (Phishing) or off of another server.
Talk about the cheat sheet.
Talk about the one from the PEN test.
Examples may seem silly, but if you can popup an alert it can be a very deep rabbit hole