Overview of OWASP and its Top 10 Security Vulnerabilities. Strategies for protecting against common web application security vulnerabilities.
Presented at the January 2011 KU Web Developers meeting.
For years businesses have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of support and information.
What if Information Security teams operated with the same insight as the product, marketing and business intelligence groups within their organization? Imagine if you had a data warehouse covering all of your applications, infrastructure, logs, vulnerability assessments, incidents, financial information, and meta data. What could you do with this readily available information?
By gathering and using both internal and public data, information security teams can utilize decision support systems allowing them to prioritize remediation efforts and react faster to issues. When looking through disparate data sources with a security lens, a security team can mine information that may expose threats through multiple vectors or paths.
In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your information security program and the threats that may effect it.
That's So Meta: Gleaning Business Context In The Vulnerability Warehouse
Ed Bellis, HoneyApps
For years businesses have been mining and culling data warehouses to measure every layer
of their business right down to the clickstream information of their web sites. These
business intelligence tools have helped organizations identify points of poor product
performance, highlighting areas of current and potential future demand, key performance
indicators, etc. Imagine if you had a data warehouse covering all of your applications,
infrastructure, logs, vulnerability assessments, incidents, financial information, and
metadata. What could you do with this readily available information? In this talk, Ed will
cover some of the many sources of security data publicly available and how to apply them
to add context to your security data and tools to help make more intelligent decisions. Ed
also points out a number of ways to repurpose information and tools your company is
already using in order to glean a clearer view into your security program and the threats
that may affect it.
For years businesses have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of support and information.
What if Information Security teams operated with the same insight as the product, marketing and business intelligence groups within their organization? Imagine if you had a data warehouse covering all of your applications, infrastructure, logs, vulnerability assessments, incidents, financial information, and meta data. What could you do with this readily available information?
By gathering and using both internal and public data, information security teams can utilize decision support systems allowing them to prioritize remediation efforts and react faster to issues. When looking through disparate data sources with a security lens, a security team can mine information that may expose threats through multiple vectors or paths.
In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your information security program and the threats that may effect it.
That's So Meta: Gleaning Business Context In The Vulnerability Warehouse
Ed Bellis, HoneyApps
For years businesses have been mining and culling data warehouses to measure every layer
of their business right down to the clickstream information of their web sites. These
business intelligence tools have helped organizations identify points of poor product
performance, highlighting areas of current and potential future demand, key performance
indicators, etc. Imagine if you had a data warehouse covering all of your applications,
infrastructure, logs, vulnerability assessments, incidents, financial information, and
metadata. What could you do with this readily available information? In this talk, Ed will
cover some of the many sources of security data publicly available and how to apply them
to add context to your security data and tools to help make more intelligent decisions. Ed
also points out a number of ways to repurpose information and tools your company is
already using in order to glean a clearer view into your security program and the threats
that may affect it.
PeopleSoft: HACK THE Planet^W universityDmitry Iudin
The PeopleSoft Campus Solutions is used in more than 1000 universities worldwide. In this presentation, we will show how to use several vulnerabilities to gain access to the entire information system of the University. And it means grade fraud, sabotage, access to student information, access to credit cards, bills, payment plans, fees, etc. In this presentation, we'll look at the architecture of PeopleSoft products, its strengths and weaknesses. We show attack surface and demonstrate a practical attack on the system. We also prove how one vulnerability affects a whole family of products, Oracle PeopleSoft, not just PeopleSoft Campus Solutions.
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
A slide show on the subject web application vulnerabilities. It contains how the vulnerabilities evolves, how to detect, how to exploit and how to defense against the vulnerabilities with example.
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...Codemotion
Roughly twenty years ago VMware began a revolution that ultimately led to “P(hysical) to V(irtual)” initiatives. Today many organizations are considering the benefits of containerization over and above traditional infrastructure virtualization. While studying the important role that infrastructure virtualization continues to play in a containerized IT ecosystem we’ll survey the benefits that containerization and most importantly container orchestration (i.e. Kubernetes) brings. We will study containers, pods, controllers, policies and more.
Pangolin is an automatic SQL injection penetration testing (Pen-testing) tool for Website manager or IT Security analyst. Support Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase.
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
Security doesn't have to be time-consuming. In this session you will learn how to build a self-defending border to protect your Internet-facing applications. In this session we will look at how services, once the realm of architects and developers, can augment traditional security services allowing you to create a self-defending architecture that dynamically responds to the threats facing your online assets.
Speaker: Shane Baldacchino, Solutions Architect, AWS
Serverless - minimizing the attack surfaceAvi Shulman
Slides from my talk at ServerlessConf NYC 2017.
The talk will cover the various aspects of reducing the attack surface on serverless applications with an emphasis on maintaining least privileged access. I’ll cover the possible ways for attackers to leverage an overly permissive application and what might be the impacts of such attempts. In the talk, I’ll present a demo of an open source tool which can help you maintain least privileged roles and policies for your Lambda functions and reduce the overall attack surface on your serverless application.
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
Cyber Security - What is a SQL Injection, Buffer Overflow & Wireless Network Attack. Types of SQL Injection, Buffer Overflow and Wireless Network Attack
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
PeopleSoft: HACK THE Planet^W universityDmitry Iudin
The PeopleSoft Campus Solutions is used in more than 1000 universities worldwide. In this presentation, we will show how to use several vulnerabilities to gain access to the entire information system of the University. And it means grade fraud, sabotage, access to student information, access to credit cards, bills, payment plans, fees, etc. In this presentation, we'll look at the architecture of PeopleSoft products, its strengths and weaknesses. We show attack surface and demonstrate a practical attack on the system. We also prove how one vulnerability affects a whole family of products, Oracle PeopleSoft, not just PeopleSoft Campus Solutions.
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
A slide show on the subject web application vulnerabilities. It contains how the vulnerabilities evolves, how to detect, how to exploit and how to defense against the vulnerabilities with example.
Cornelia Davis - P to V to C: The Value of Bringing “Everything” to Container...Codemotion
Roughly twenty years ago VMware began a revolution that ultimately led to “P(hysical) to V(irtual)” initiatives. Today many organizations are considering the benefits of containerization over and above traditional infrastructure virtualization. While studying the important role that infrastructure virtualization continues to play in a containerized IT ecosystem we’ll survey the benefits that containerization and most importantly container orchestration (i.e. Kubernetes) brings. We will study containers, pods, controllers, policies and more.
Pangolin is an automatic SQL injection penetration testing (Pen-testing) tool for Website manager or IT Security analyst. Support Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase.
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
Security doesn't have to be time-consuming. In this session you will learn how to build a self-defending border to protect your Internet-facing applications. In this session we will look at how services, once the realm of architects and developers, can augment traditional security services allowing you to create a self-defending architecture that dynamically responds to the threats facing your online assets.
Speaker: Shane Baldacchino, Solutions Architect, AWS
Serverless - minimizing the attack surfaceAvi Shulman
Slides from my talk at ServerlessConf NYC 2017.
The talk will cover the various aspects of reducing the attack surface on serverless applications with an emphasis on maintaining least privileged access. I’ll cover the possible ways for attackers to leverage an overly permissive application and what might be the impacts of such attempts. In the talk, I’ll present a demo of an open source tool which can help you maintain least privileged roles and policies for your Lambda functions and reduce the overall attack surface on your serverless application.
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
Cyber Security - What is a SQL Injection, Buffer Overflow & Wireless Network Attack. Types of SQL Injection, Buffer Overflow and Wireless Network Attack
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
4. DISCLAIMER
• I am NOT a “security expert"
• But I know a little about web security
5. DISCLAIMER
• I am NOT a “security expert"
• But I know a little about web security
• Taken SANS DEV422: Defending Web
Application Security Essentials
6. DISCLAIMER
• I am NOT a “security expert"
• But I know a little about web security
• Taken SANS DEV422: Defending Web
Application Security Essentials
• I don’t know everything
9. ASSUMPTIONS
• This is an introduction-level talk
• You know enough PHP to be dangerous
10. ASSUMPTIONS
• This is an introduction-level talk
• You know enough PHP to be dangerous
• You’ve heard of some security vulns
11. ASSUMPTIONS
• This is an introduction-level talk
• You know enough PHP to be dangerous
• You’ve heard of some security vulns
• Again, I don’t know everything
20. OWASP
• Non-profit focused on improving security of application software
• Focused on awareness of risks and education on mitigating those risks
• Kansas City chapter meets every other month
• Next meeting: Thursday, February 10, 2011
at Johnson County Community College
• Free! No registration required, but RSVPs appreciated
24. INJECTION
SI T?
I Tricking an application into unintended
HAT
W commands in the data sent to an interpreter
-Interpreter--- -Injection---
Database SQL Injection
Shell Command Injection
File System File Injection/Inclusion
PHP PHP Injection
25. CT
INJECTION
PA
IM
IC AL Technical Impact:
SEVERE
T YP
Entire database read or modified
Access files on the filesystem
Uses a program's elevated privileges
to carry out unauthorized execution
26. LO
I TE
D? INJECTION
P
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
28. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
29. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
30. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
31. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
32. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
Sandbox execution
33. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
Sandbox execution
Firewall web-facing machine
34. T I T? INJECTION
EN
R EV
P
TO
HOW SYSTEM LEVEL
Limit access rights of your application accounts
OS user and database accounts
Limit attack vectors
Sandbox execution
Firewall web-facing machine
Close unused ports and services
35. T I T? INJECTION
EN
R EV
P
TO
OW SYSTEM LEVEL
KU IT
H
D Limit access rights of your application accounts
OES T
OS user and database accounts
HIS F
OR YO
Limit attack vectors
Sandbox execution
Firewall web-facing machine
Close unused ports and services U
36. T I T? INJECTION
EN
R EV
P
TO
HOW APPLICATION LEVEL
“Filter Input, Escape Output”
Examples:
HTML
SQL / DATABASE
37. T I T? INJECTION
EN
R EV
P
TO
HOW HTML Injection
38. T I T? INJECTION
EN
R EV
P
TO SQL Injection - Prepared Statements
HOW
39. T I T? INJECTION
EN
R EV
P
TO
HOW SQL Injection
Source: http://xkcd.com/327/
41. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
42. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
43. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
44. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
Persistent Request Exploit
45. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
Persistent Request Exploit
Saved in the file itself or more commonly in a database
46. CROSS SITE SCRIPTING (XSS)
?
IS IT
AT Malicious data delivered to an
W H innocent user's browser
Single Request Exploit
Specially crafted URL injecting JavaScript or other defacement code
Persistent Request Exploit
Saved in the file itself or more commonly in a database
Delivered to all visitors just by visiting the page
48. CROSS SITE SCRIPTING (XSS)
CT
PA
IM Technical Impact:
AL
MODERATE
IC
T YP
Steal stored browser data...
Session IDs & cookies
Account numbers
Usernames
Deface website
Redirect user to phishing or malware site
49. CROSS SITE SCRIPTING (XSS)
LO
I TE
D?
EXP
SI T
I
HOW
Source: Dave Wichers OWASP Top 10 Presentation
50. CROSS SITE SCRIPTING (XSS)
NT I T?
VE
P RE
TO
HOW
“Filter Input, Escape Output”
Validate / Sanitize user input
Escape user input sent to a Database or the Browser
64. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
65. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
66. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
67. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
Credentials are usually a Session ID
68. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
Credentials are usually a Session ID
Attack is possible when attacker gets a valid Session ID
69. BROKEN AUTHENTICATION
IT?AND SESSION MANAGEMENT
IS
HAT Authentication or Sessions are
W
improperly implemented
HTTP is “stateless”
HTTP sends credentials with every request
Credentials are usually a Session ID
Attack is possible when attacker gets a valid Session ID
Remember Firesheep?
70. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
71. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
72. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
Login without a valid password
73. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
Login without a valid password
Change another user’s personal info
74. BROKEN AUTHENTICATION
PA
AND SESSION MANAGEMENT
CT
L IM Technical Impact:
CA
SEVERE
I
T YP
An attacker might be able to...
Login without a valid password
Change another user’s personal info
Assume another user’s identity by just clicking a link
75. BROKEN AUTHENTICATION
D?
AND
I TE SESSION MANAGEMENT
P LO
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
76. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO
HOW Rely on strong authentication and session management controls
Integrate Shibboleth into your application
77. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO
HOW Proper Session Storage
Default config stores sessions in a global temp directory
78. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO
HOW Proper Session Regeneration
Always run session_regenerate_id()
after an escalation in authentication/authorization
79. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO Proper Session cookie handling
HOW
Only allow session cookies over secure connections
Only allow session cookies over HTTP (not JavaScript)
Only allow session IDs in cookies (not in the URL)
80. BROKEN AUTHENTICATION
T?
T I SESSION MANAGEMENT
VEAND
N
P RE
TO Use HTTPS
HOW
NEVER deliver unencrypted network traffic when in HTTPS
http://test.ku.edu/page2.php
==> http://webmedia.ku.edu/jquery.js
https://test.ku.edu/page2.php
==> https://webmedia.ku.edu/jquery.js
82. INSECURE DIGITAL OBJECT REFERENCES
SI T?
I
HAT Users without proper credentials
W
can view secure data
Do any users have only partial access to certain types of system data?
84. INSECURE DIGITAL OBJECT REFERENCES
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Depends on the value of the secure data
Flaws can compromise all data referenced by an insecure object
85. INSECURE DIGITAL OBJECT REFERENCES
I TE
D?
P LO
T EX
I SI
HOW
User clicks link “My Account”
User accesses “My Account” page at URL:
http://mybank.com/account/2055
User increments parameter in the URL:
http://mybank.com/account/2056
User is granted access
86. INSECUREIT?
T
DIGITAL OBJECT REFERENCES
EN
R EV Use Array Map to
P Obfuscate URL Parameters
TO
HOW
87. INSECUREIT?
T
DIGITAL OBJECT REFERENCES
EN
EV
Use switch() to test for valid values
P R
TO
HOW
89. CROSS SITE REQUEST FORGERY (CSRF)
SI T?
I
HAT Victim's browser is tricked into issuing a
W
command to a vulnerable web application
90. CROSS SITE REQUEST FORGERY (CSRF)
SI T?
I
HAT Victim's browser is tricked into issuing a
W
command to a vulnerable web application
HTTP is “stateless” - Credentials are included with every request
If the user visits another website while still authenticated...
Any request back to the application is considered authentic
91. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
92. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
93. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
94. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
Make Transactions?
95. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
Make Transactions?
Close Accounts?
96. CROSS SITE REQUEST FORGERY (CSRF)
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
What if a hacker could steer your mouse and get you
to click on links in your online banking application?
What could they make you do?
Make Transactions?
Close Accounts?
Change Password?
97. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
A vulnerable web application allows destructive actions
(INSERT, UPDATE, DELETE) when using $_GET
http://mydomain.com/file.php?action=delete&id=12345
98. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
A vulnerable web application allows destructive actions
(INSERT, UPDATE, DELETE) when using $_GET
http://mydomain.com/file.php?action=delete&id=12345
99. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
Destructive actions are executed with minimal or no verification
of the origin of the request
HTTP POST => http://mydomain.com/file.php?action=delete
100. CROSS SITE REQUEST FORGERY (CSRF)
I TE
D?
P LO
T EX
I SI
HOW
Destructive actions are executed with minimal or no verification
of the origin of the request
HTTP POST => http://mydomain.com/file.php?action=delete
Only marginally more difficult to forge a POST
101. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
102. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
Invalidate user sessions quickly
103. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
Invalidate user sessions quickly
Encourage users to logout (they don’t)
104. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW A few easy ways...
Invalidate user sessions quickly
Encourage users to logout (they don’t)
Don’t implement “Remember Me” features
105. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Add a secret, not automatically submitted,
token to ALL sensitive requests
Verify token exists and matches the expected
value before executing the request
106. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Generate token and store in user's session
Source: http://shiflett.org/articles/cross-site-request-forgeries
107. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Use token in POST form
Source: http://shiflett.org/articles/cross-site-request-forgeries
108. CROSS SITE REQUEST FORGERY (CSRF)
T I T?
EN
R EV
P
TO
HOW Implement a CSRF Token
Validate when POST received
Source: http://shiflett.org/articles/cross-site-request-forgeries
111. SECURITY MISCONFIGURATION
SI T?
I
HAT Running web applications on a secure foundation
W
From the Operating System up through Apache
All PHP extensions
All installed libraries on the server
113. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
114. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
Install malware on the server
115. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
Install malware on the server
“Root” the server
116. SECURITY MISCONFIGURATION
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Install backdoor through missing security patch
Install malware on the server
“Root” the server
All your data is stolen
117. SECURITY MISCONFIGURATION
I TE
D?
P LO
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
119. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
HOW
SYSTEM LEVEL
Update to latest application versions
Install security patches
Monitor vulnerabilities list
120. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
OW
KU IT
H
D
SYSTEM LEVEL
OES T
HIS F
Update to latest application versions
Install security patches
OR YO
Monitor vulnerabilities list U
121. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
HOW
APPLICATION LEVEL
Use latest available version of PHP
Update third-party software when available
Monitor mailing lists
122. SECURITY MISCONFIGURATION
T I T?
EN
R EV
P
TO
HOW
APPLICATION LEVEL
Use latest available version of PHP
Update third-party software when available
Monitor mailing lists
125. INSECURE CRYPTOGRAPHIC STORAGE
SI T?
I Incorrectly storing and transmitting
HAT
W confidential data
Database data
Log files
Backup files
Password files
126. INSECURE CRYPTOGRAPHIC STORAGE
SI T?
I
HAT What is considered secure data at KU?
W
Data protected by FERPA
Data protected by GLB
Data subject to PCI (credit or payment card industry) standards
Data subject to other Federal or state confidentiality laws
Donor or prospect information
Passwords and PINs
Personally Identifiable Information (“PII”)
Personnel data
Individually identifiable information created and collected by research projects
Certain research data with National Security implications
Data subject to protection pursuant to non-disclosure agreements
Audit working papers
Data protected by attorney/client privilege
Email covering topics listed above
Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
127. INSECURE CRYPTOGRAPHIC STORAGE
SI T?
I
HAT What is considered secure data at KU?
W
Data protected by FERPA
Data protected by GLB
Data subject to PCI (credit or payment card industry) standards
Data subject to other Federal or state confidentiality laws
Donor or prospect information
Passwords and PINs
Personally Identifiable Information (“PII”)
Personnel data
Individually identifiable information created and collected by research projects
Certain research data with National Security implications
Data subject to protection pursuant to non-disclosure agreements
Audit working papers
Data protected by attorney/client privilege
Email covering topics listed above
THIS LIST IS NOT ALL INCLUSIVE
Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
129. INSECURE CRYPTOGRAPHIC STORAGE
T
PAC
IM
IC AL Technical Impact:
T YP
SEVERE
Attacker accesses or modifies confidential data
Intellectual property stolen
You or KU might get sued
Makes the company look bad in the press
130. INSECURE CRYPTOGRAPHIC STORAGE
T
PAC
IM
IC AL Business Impacts:
T YP
SEVERE
High risk of...
significant financial loss
legal liability
public distrust
harm
...if this data is disclosed
134. INSECURE? CRYPTOGRAPHIC STORAGE
T IT
EN
R EV
P
TO
HOW
Identify all sensitive data and all places it is stored
Don’t store private data in public_html
135. INSECURE? CRYPTOGRAPHIC STORAGE
T IT
EN
R EV
P
TO
HOW
Identify all sensitive data and all places it is stored
Don’t store private data in public_html
Don’t invent your own encryption algorithm
136. INSECURE? CRYPTOGRAPHIC STORAGE
T IT
EN
R EV
P
TO
HOW
Identify all sensitive data and all places it is stored
Don’t store private data in public_html
Don’t invent your own encryption algorithm
Don’t transmit confidential data over unencrypted means
138. FAILURE TO RESTRICT URL ACCESS
SI T?
I
HAT Unauthorized users can view private pages
W
Public users could access your admin functionality
139. FAILURE TO RESTRICT URL ACCESS
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
140. FAILURE TO RESTRICT URL ACCESS
T
PAC
IM Technical Impact:
AL
MODERATE
IC
T YP
Attackers invoke functions and services they’re not authorized for
Access other user’s accounts and data
Perform privileged actions
141. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
User accesses URL
http://mydomain.com/user/profile
User changes role of URL
http://mydomain.com/manager/profile
http://mydomain.com/admin/profile
142. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Presentation Layer Access Control
143. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Presentation Layer Access Control
DOESN’T WORK
144. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Unlinked URLs
http://mydomain.com/you/will/never/find/this/index.html
145. FAILURE TO RESTRICT URL ACCESS
I TE
D?
P LO
T EX
I SI
HOW
Unlinked URLs
http://mydomain.com/you/will/never/find/this/index.html
DOESN’T WORK
146. FAILURE ?TO RESTRICT URL ACCESS
T IT
EN
R EV
P
TO Check credentials on every page
HOW
147. FAILURE ?TO RESTRICT URL ACCESS
T IT
EN
R EV
P
TO Check credentials on every page
HOW
Disallow requests to unauthorized page types
http://mydomain.com/uploads
148. FAILURE ?TO RESTRICT URL ACCESS
T IT
EN
R EV
P
TO Check credentials on every page
HOW
Disallow requests to unauthorized page types
http://mydomain.com/uploads
Test it!
153. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
154. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
155. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
156. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
157. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
Backend databases
158. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
Backend databases
Colleagues
159. INSUFFICIENT TRANSPORT LAYER PROTECTION
SI T?
I Sending confidential data over
HAT
W unencrypted protocols
Failure to identify all sensitive data
Failure to identify all places sensitive data is sent
Between:
Server and user
Backend databases
Colleagues
Internal Communications
163. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED
OI
PL
T EX
I SI What is considered secure data at KU?
HOW
Data protected by FERPA
Data protected by GLB
Data subject to PCI (credit or payment card industry) standards
Data subject to other Federal or state confidentiality laws
Donor or prospect information
Passwords and PINs
Personally Identifiable Information (“PII”)
Personnel data
Individually identifiable information created and collected by research projects
Certain research data with National Security implications
Data subject to protection pursuant to non-disclosure agreements
Audit working papers
Data protected by attorney/client privilege
Email covering topics listed above
Source: https://documents.ku.edu/policies/Information_Services/APPENDIX_1_Data_Classif_Policy.htm
167. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Does your application...
Use confidential data?
Send it over email?
168. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Does your application...
Use confidential data?
Send it over email?
Send it to a database?
169. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Does your application...
Use confidential data?
Send it over email?
Send it to a database?
Use HTTPS for ALL authentication requests?
172. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Do you...
Have encrypted email setup between colleagues?
173. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Do you...
Have encrypted email setup between colleagues?
Use encrypted IM chat between colleagues?
174. INSUFFICIENT ?TRANSPORT LAYER PROTECTION
T ED I
P LO
T EX
I SI
HOW
Do you...
Have encrypted email setup between colleagues?
Use encrypted IM chat between colleagues?
Store your account passwords in a password safe?
175. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
176. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
177. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
2. Build a page to download or browse the info
178. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
2. Build a page to download or browse the info
3. Only allow specific users to access it using Shibboleth
179. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Don’t use KU Email Form to send confidential data
1. Build a web form that stores it in a secure database
2. Build a page to download or browse the info
3. Only allow specific users to access it using Shibboleth
180. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Use secure protocols to transmit and store data
181. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Use secure protocols to transmit and store data
Ever try to FTP to www2.ku.edu without SFTP?
182. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Use secure protocols to transmit and store data
Ever try to FTP to www2.ku.edu without SFTP?
Store confidential data in our secure Oracle database
185. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Setup email encryption between colleagues
http://www.technology.ku.edu/ca/install/
186. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
Setup Off-The-Record chat encryption
http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
187. INSUFFICIENT TRANSPORT LAYER PROTECTION
I T?
T
EN
R EV
P
TO
HOW
KeePass
Windows: http://keepass.info/
Mac: http://www.keepassx.org/
Free & Open-Source
189. UNVALIDATED REDIRECTS AND FORWARDS
SI T?
I
HAT
W
URL Redirects built by the web application
can be exploited if unvalidated
Appears as a valid URL but contains a payload
Internal redirects are common
External redirects are becoming more common
190. UNVALIDATED REDIRECTS AND FORWARDS
CT
PA
IM Technical Impact:
AL
MODERATE
IC
T YP
Install malware
Phishing site
Bypass authorization controls
191. UNVALIDATED REDIRECTS AND FORWARDS
TE
D?
I
P LO
T EX
I SI
HOW
Source: Dave Wichers OWASP Top 10 Presentation
192. UNVALIDATED REDIRECTS AND FORWARDS
I T?
T
EN
R EV
P
TO
HOW
Avoid using redirects and forwards as much as possible
If used, don’t use user-input parameters
If using user-input...
Use Array Map to Whitelist URL Parameters
193. UNVALIDATED REDIRECTS AND FORWARDS
I T?
T
EN
R EV Use Array Map to
P Whitelist URL Parameters
TO
HOW
195. My Challenge to you
Read the OWASP Wiki
http://www.owasp.org
Review your code
http://www.owasp.org/index.php/Code_Review_Guide
http://www.owasp.org/index.php/OWASP_Testing_Project
196. Sources
OWASP Sources:
- OWASP Application Security Verification Standard Project. <http://www.owasp.org/index.php/ASVS>
- OWASP Authentication Cheat Sheet. <http://www.owasp.org/index.php/Authentication_Cheat_Sheet>
- OWASP Code Review Project. <http://www.owasp.org/index.php/Code_Review_Guide>
- OWASP Testing Project. <http://www.owasp.org/index.php/OWASP_Testing_Project>
- OWASP Top 10 - 2010: The Top 10 Most Critical Web Application Security Risks. Dave Wichers, OWASP Board Member. <http://
owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx>
- OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)
_Prevention_Cheat_Sheet>
Links:
- Setting up encrypted email at KU. http://www.technology.ku.edu/ca/install/
- Introduction to Encrypted Internet Chat. http://www.h-i-r.net/2011/01/introduction-to-encrypted-internet-chat.html
Software:
- HTMLPurifier <http://htmlpurifier.org/>
- KeePass <http://keepass.info/>
- KeePassX <http://www.keepassx.org/>
- WebScarab <http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project>
Photos:
http://www.flickr.com/photos/mrbenn/2337943659/
http://www.flickr.com/photos/12836528@N00/4294660659/ John Kary | johnkary@ku.edu
http://xkcd.com/327/ Web Development & Interface Design
University of Kansas, Information Technology
January 2011 KU Web Developers Meeting