SlideShare a Scribd company logo
SVILUPPO WEB E 
SICUREZZA NEL 2014 
Massimo Chirivì – 24/10/2014
Chi sono 
• Dal 1988 con la passione dell’informatica 
• Dal 1996 al servizio delle aziende per lavoro 
• Dal 1998 al servizio della P.A. per il bene di tutti 
• Dal 2010 in una delle più grandi aziende ICT d’Italia. 
Di cosa mi occupo 
- Information Security 
- System Administrator 
- Ethical Hacking 
Condividere è un dovere etico… La condivisione è conoscenza.
AIPSI – Associazione Italiana Professionisti Sicurezza Informatica 
AIPSI 
Capitolo 
Italiano di 
ISSA 
Associazione 
di singoli 
professionisti 
Oltre 10.000 
esperti in 
tutto il 
mondo 
200 soci in 
Italia
AIPSI – Associazione Italiana Professionisti Sicurezza Informatica 
Obiettivi: 
• Organizzazione di forum educativi 
• Redazione di documenti e pubblicazioni specializzate 
• Interscambio di esperienze fra i professionisti del 
settore (nazionali e internazionali) 
• Riferimento per la ricerca di professionisti di sicurezza 
IT 
• Interazione con altre organizzazioni professionali 
• Rilascio di attestati e certificazioni specifiche
SVILUPPO WEB E SICUREZZA NEL 2014 
• Affrontare la sicurezza di una web application è uno dei compiti più 
difficili che uno sviluppatore deve considerare durante le fasi di 
sviluppo ed integrazione di un software o di un semplice sito web. 
• Le minacce presenti sul web sono sempre più numerose e ricercare 
vulnerabilità e metodi di attacco diventa sempre più semplice, anche 
per i meno esperti.
SVILUPPO WEB E SICUREZZA NEL 2014 
Distinguiamo innanzitutto le applicazioni COTS dalle CUSTOM 
Soffermiamoci sulle COTS: 
1) Gran parte del web è realizzato con questo tipo di applicazioni (Joomla, Wordpress, Magento, 
Virtuemart, Alfresco, Liferay, ecc.ecc.) 
2) Può essere sia commerciale che open source 
3) Il codice sorgente è disponibile a tutti, anche ai malitenzionati! 
4) Gli add-on o componenti aggiuntivi sono scritti non sempre in maniera corretta e contengono 
molte vulnerabilità 
5) La ricerca su internet delle vulnerabilità e degli exploit è alcune volte banale. 
Come? 
JoomScan  http://sourceforge.net/projects/joomscan/ 
Secunia Database x verificare la vulnerabilità 
BurpSuite x crawling del sito web 
Osservare HTML con attenzione 
Osservare banner, footer, header 
Live http Headers for Firefox Browser 
Osservare gli URL: index.php?option=%component_name%&task=%xxx%&task=%value%
SVILUPPO WEB E SICUREZZA NEL 2014 
Analizziamo alcune vulnerabilità dei più famosi progetti Open Source. 
[20140904] - Core - Denial of Service 
•Project: Joomla! 
•SubProject: CMS 
•Severity: Low 
•Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 
•Exploit type: Denial of Service 
•Reported Date: 2014-September-24 
•Fixed Date: 2014-September-30 
•CVE Number: CVE-2014-7229 
Description 
Inadequate checking allowed the potential for a denial of service attack. 
Affected Installs 
Joomla! CMS versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 
through 3.3.4 
Solution 
Upgrade to version 2.5.26, 3.2.6, or 3.3.5
SVILUPPO WEB E SICUREZZA NEL 2014 
• [20140902] - Core - Unauthorised Logins 
• Project: Joomla! 
• SubProject: CMS 
• Severity: Moderate 
• Versions: 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x versions, 3.3.0 
through 3.3.3 
• Exploit type: Unauthorised Logins 
• Reported Date: 2014-September-09 
• Fixed Date: 2014-September-23 
• CVE Number: CVE-2014-6632 
• Description 
• Inadequate checking allowed unauthorised logins via LDAP authentication. 
• Affected Installs 
• Joomla! CMS versions 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x 
versions, 3.3.0 through 3.3.3 
• Solution 
• Upgrade to version 2.5.25, 3.2.5, or 3.3.4
SVILUPPO WEB E SICUREZZA NEL 2014 
• [20140901] - Core - XSS Vulnerability 
• Project: Joomla! 
• SubProject: CMS 
• Severity: Moderate 
• Versions: 3.2.0 through 3.2.4, 3.3.0 through 3.3.3 
• Exploit type: XSS Vulnerability 
• Reported Date: 2014-August-27 
• Fixed Date: 2014-September-23 
• CVE Number: CVE-2014-6631 
• Description 
• Inadequate escaping leads to XSS vulnerability in com_media. 
• Affected Installs 
• Joomla! CMS versions 3.2.0 through 3.2.4 and 3.3.0 through 3.3.3 
• Solution 
• Upgrade to version 3.2.5 or 3.3.4
SVILUPPO WEB E SICUREZZA NEL 2014 
• [20140301] - Core - SQL Injection 
• Project: Joomla! 
• SubProject: CMS 
• Severity: High 
• Versions: 3.1.0 through 3.2.2 
• Exploit type: SQL Injection 
• Reported Date: 2014-February-06 
• Fixed Date: 2014-March-06 
• CVE Number: Pending 
• Description 
• Inadequate escaping leads to SQL injection vulnerability. 
• Affected Installs 
• Joomla! CMS versions 3.1.0 through 3.2.2 
• Solution 
• Upgrade to version 3.2.3
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014 
Secunia Advisory SA59670 
Where: 
From remote 
Impact: 
Exposure of sensitive information, DoS, System access 
Solution Status: 
Vendor Patch 
Software: 
WordPress 3.x 
CVE Reference(s): 
CVE-2014-2053 
CVE-2014-5203 
Description 
Multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to disclose certain sensitive information or 
cause a DoS (Denial of Service) and potentially compromise a vulnerable system and by malicious people to cause a DoS. 
1) An error in the xmlrpc.php script when expanding entity references can be exploited to exhaust memory and CPU resources via specially 
crafted XML data containing malicious attributes. 
2) The wp-includes/class-wp-customize-widgets.php script uses the "unserialize()" function with user controlled input. This can be exploited to 
e.g. potentially execute arbitrary PHP code via a specially crafted serialized object. 
3) The application bundles a vulnerable version of getID3(). 
For more information:SA57252 
The vulnerabilities are reported in versions 3.9 and 3.9.1. 
Solution: 
Update to version 3.9.2.
SVILUPPO WEB E SICUREZZA NEL 2014 
Secunia Advisory SA57769 
Where: 
From remote 
Impact: 
Security Bypass, Cross Site Scripting 
Solution Status: 
Vendor Patch 
Software: 
WordPress 3.x 
CVE Reference(s): 
CVE-2014-0165 
CVE-2014-0166 
Description 
Multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to bypass certain security 
restrictions and by malicious people to conduct cross-site scripting and bypass certain security restrictions. 
1) An error in the cookie keyed hash value verification can be exploited to gain unauthorized access. 
2) An error when verifying the "publish_post" capability can be exploited to perform otherwise restricted operations e.g. publish 
new post with the Contributor role. 
3) Certain unspecified input related to Plupload is not properly sanitised before being returned to the user. This can be exploited to 
execute arbitrary HTML and script code in a user's browser session in context of an affected site. 
The vulnerabilities are reported in versions prior to 3.8.2. 
Solution: 
Update to version 3.8.3.
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014 
Secunia Advisory SA60352 
Where: 
From remote 
Impact: 
Manipulation of data 
Solution Status: 
Vendor Patch 
Software: 
Drupal 7.x 
CVE Reference(s): 
CVE-2014-3704 
Description 
SektionEins has reported a vulnerability in Drupal, which can be exploited by malicious people to conduct 
SQL injection attacks. 
Certain input passed as array keys to the database abstraction API is not properly sanitised in the 
"Database::expandArguments()" method (includes/database/database.inc) before being used in a SQL query. 
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 
The vulnerability is reported in versions prior to 7.32. 
Solution: 
Update to version 7.32.
SVILUPPO WEB E SICUREZZA NEL 2014 
Secunia Advisory SA56494 
Where: 
From remote 
Impact: 
Hijacking, Security Bypass 
Solution Status: 
Vendor Patch 
Software: 
Drupal 6.x 
Drupal 7.x 
CVE Reference(s): 
CVE-2014-1475 
CVE-2014-1476 
Description 
A security issue and a vulnerability have been reported in Drupal, which can be exploited by malicious users to bypass certain security 
restrictions and hijack another user's account. 
1) An unspecified error within the OpenID module can be exploited to hijack user accounts associated with one or more OpenID identities. 
This vulnerability is reported in 6.x versions prior to 6.30 and 7.x versions prior to 7.26. 
2) An unspecified error within the Taxonomy module can be exploited to access unpublished content on certain restricted pages. 
NOTE: This security issue only affects installations which have been upgraded from Drupal versions 6.x or prior. 
This security issue is reported in 7.x versions prior to 7.26. 
Solution: 
Update to a fixed version.
SVILUPPO WEB E SICUREZZA NEL 2014 
Sitografia: 
• http://www.openwall.com/ 
• http://secunia.com/ 
• https://www.drupal.org/ 
• http://developer.joomla.org/ 
• https://wordpress.org/ 
• http://cve.mitre.org/ 
• http://nvd.nist.gov/
Grazie per l’awtwtewn.mzaiossnimeochirivi.net 
info@massimochirivi.net 
Facebook 
Skype: mchirivi 
Linkedin 
Sito smau – www.smau.it 
Sito AIPSI -- www.aipsi.org 
Studia, prova, amplia, ricerca, analizza, migliora … 
… condividi con gli altri anche tu 
… sempre con il cappello bianco 
SVILUPPO WEB E SICUREZZA NEL 2014

More Related Content

What's hot

Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlik
LANDESK
 
Security vulnerabilities of 2015
Security vulnerabilities of 2015Security vulnerabilities of 2015
Security vulnerabilities of 2015
dogangcr
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
Vijayanand Yadla
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
Nico Penaredondo
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
Casey Ellis
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
Inaam Ishaque Shaikh
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoat
Zakaria SMAHI
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
 
Software Security Certification
Software Security CertificationSoftware Security Certification
Software Security Certification
Vskills
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
Shivam Porwal
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 

What's hot (20)

Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
December2016 patchtuesdayshavlik
December2016 patchtuesdayshavlikDecember2016 patchtuesdayshavlik
December2016 patchtuesdayshavlik
 
Security vulnerabilities of 2015
Security vulnerabilities of 2015Security vulnerabilities of 2015
Security vulnerabilities of 2015
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Attques web
Attques webAttques web
Attques web
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoat
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Software Security Certification
Software Security CertificationSoftware Security Certification
Software Security Certification
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
 

Viewers also liked

Come creare infrastrutture Cloud Sicure
Come creare infrastrutture Cloud SicureCome creare infrastrutture Cloud Sicure
Come creare infrastrutture Cloud Sicure
Stefano Dindo
 
Training sme
Training smeTraining sme
Training sme
LessMore
 
TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115
Elena Vaciago
 
Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015
Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015
Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015
festival ICT 2016
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
EnergySec
 
Cybersecurity e Vulnerabilita' dei sistemi SCADA
Cybersecurity e Vulnerabilita' dei sistemi SCADACybersecurity e Vulnerabilita' dei sistemi SCADA
Cybersecurity e Vulnerabilita' dei sistemi SCADA
iDIALOGHI
 
La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.
Carlo Balbo
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & Privacy
Alessandro Piva
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
Information security
Information securityInformation security
Information security
LJ PROJECTS
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
Atif Rehmat
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020
Deft Association
 
Alessio Pennasilico, Cybercrime e cybersecurity
Alessio Pennasilico, Cybercrime e cybersecurityAlessio Pennasilico, Cybercrime e cybersecurity
Alessio Pennasilico, Cybercrime e cybersecurity
Andrea Rossetti
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 

Viewers also liked (19)

Come creare infrastrutture Cloud Sicure
Come creare infrastrutture Cloud SicureCome creare infrastrutture Cloud Sicure
Come creare infrastrutture Cloud Sicure
 
Training sme
Training smeTraining sme
Training sme
 
TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115
 
Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015
Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015
Proteggere i dispositivi mobili - ISACA Venice - festival ICT 2015
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
att cybersecurity
att cybersecurityatt cybersecurity
att cybersecurity
 
Cybersecurity e Vulnerabilita' dei sistemi SCADA
Cybersecurity e Vulnerabilita' dei sistemi SCADACybersecurity e Vulnerabilita' dei sistemi SCADA
Cybersecurity e Vulnerabilita' dei sistemi SCADA
 
La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & Privacy
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Information security
Information securityInformation security
Information security
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020
 
Alessio Pennasilico, Cybercrime e cybersecurity
Alessio Pennasilico, Cybercrime e cybersecurityAlessio Pennasilico, Cybercrime e cybersecurity
Alessio Pennasilico, Cybercrime e cybersecurity
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Similar to SVILUPPO WEB E SICUREZZA NEL 2014

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
Mike Spaulding
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-security
Andrew Carr
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Cyber Securitygttt buj bi j Mini Project.pdf
Cyber Securitygttt buj bi j  Mini Project.pdfCyber Securitygttt buj bi j  Mini Project.pdf
Cyber Securitygttt buj bi j Mini Project.pdf
kartik061104
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
Alexander Benoit
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Patch Tuesday Italia Luglio
Patch Tuesday Italia LuglioPatch Tuesday Italia Luglio
Patch Tuesday Italia Luglio
Ivanti
 
" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
slideshareperson2
 
<marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee><marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee>
slideshareperson2
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikitha
Susmitha Reddy
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
Array Networks
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 

Similar to SVILUPPO WEB E SICUREZZA NEL 2014 (20)

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-security
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Cyber Securitygttt buj bi j Mini Project.pdf
Cyber Securitygttt buj bi j  Mini Project.pdfCyber Securitygttt buj bi j  Mini Project.pdf
Cyber Securitygttt buj bi j Mini Project.pdf
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Patch Tuesday Italia Luglio
Patch Tuesday Italia LuglioPatch Tuesday Italia Luglio
Patch Tuesday Italia Luglio
 
" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
 
<marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee><marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee>
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikitha
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 

More from Massimo Chirivì

Il sequestro dei dati - Cybercrime e ransomware nel 2019
Il sequestro dei dati - Cybercrime e ransomware nel 2019Il sequestro dei dati - Cybercrime e ransomware nel 2019
Il sequestro dei dati - Cybercrime e ransomware nel 2019
Massimo Chirivì
 
DHCP Server Attack - Metodologie di attacco e soluzioni
DHCP Server Attack - Metodologie di attacco e soluzioniDHCP Server Attack - Metodologie di attacco e soluzioni
DHCP Server Attack - Metodologie di attacco e soluzioni
Massimo Chirivì
 
Ransomware Attack nel 2019 Dal file system ai database e non solo...
Ransomware Attack nel 2019 Dal file system ai database e non solo...Ransomware Attack nel 2019 Dal file system ai database e non solo...
Ransomware Attack nel 2019 Dal file system ai database e non solo...
Massimo Chirivì
 
Social Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR YearSocial Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR Year
Massimo Chirivì
 
Carte di credito contactless: quali i rischi per la privacy e per il portaf...
Carte di credito contactless:  quali i rischi per la privacy e  per il portaf...Carte di credito contactless:  quali i rischi per la privacy e  per il portaf...
Carte di credito contactless: quali i rischi per la privacy e per il portaf...
Massimo Chirivì
 
Sicurezza Informatica 24 Settembre 2010
Sicurezza Informatica 24 Settembre 2010Sicurezza Informatica 24 Settembre 2010
Sicurezza Informatica 24 Settembre 2010
Massimo Chirivì
 
Cyber Security. Occorre maggiore attenzione.
Cyber Security. Occorre maggiore attenzione.Cyber Security. Occorre maggiore attenzione.
Cyber Security. Occorre maggiore attenzione.
Massimo Chirivì
 
ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?
ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?
ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?
Massimo Chirivì
 
ICT SECURITY E PMI - SMAU Milano 2013
ICT SECURITY E PMI -  SMAU Milano 2013ICT SECURITY E PMI -  SMAU Milano 2013
ICT SECURITY E PMI - SMAU Milano 2013
Massimo Chirivì
 
La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013
Massimo Chirivì
 
Il Cloud computing nel 2012 - il know aziendale è al sicuro
Il Cloud computing nel 2012 - il know aziendale è al sicuroIl Cloud computing nel 2012 - il know aziendale è al sicuro
Il Cloud computing nel 2012 - il know aziendale è al sicuro
Massimo Chirivì
 
SMAU Milano 2011 - AIPSI
SMAU Milano 2011 - AIPSISMAU Milano 2011 - AIPSI
SMAU Milano 2011 - AIPSI
Massimo Chirivì
 
Adolescenti salentini e social network
Adolescenti salentini e social networkAdolescenti salentini e social network
Adolescenti salentini e social network
Massimo Chirivì
 
SMAU 2011 Bari
SMAU 2011 BariSMAU 2011 Bari
SMAU 2011 Bari
Massimo Chirivì
 

More from Massimo Chirivì (14)

Il sequestro dei dati - Cybercrime e ransomware nel 2019
Il sequestro dei dati - Cybercrime e ransomware nel 2019Il sequestro dei dati - Cybercrime e ransomware nel 2019
Il sequestro dei dati - Cybercrime e ransomware nel 2019
 
DHCP Server Attack - Metodologie di attacco e soluzioni
DHCP Server Attack - Metodologie di attacco e soluzioniDHCP Server Attack - Metodologie di attacco e soluzioni
DHCP Server Attack - Metodologie di attacco e soluzioni
 
Ransomware Attack nel 2019 Dal file system ai database e non solo...
Ransomware Attack nel 2019 Dal file system ai database e non solo...Ransomware Attack nel 2019 Dal file system ai database e non solo...
Ransomware Attack nel 2019 Dal file system ai database e non solo...
 
Social Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR YearSocial Engineering and other Foes in the GDPR Year
Social Engineering and other Foes in the GDPR Year
 
Carte di credito contactless: quali i rischi per la privacy e per il portaf...
Carte di credito contactless:  quali i rischi per la privacy e  per il portaf...Carte di credito contactless:  quali i rischi per la privacy e  per il portaf...
Carte di credito contactless: quali i rischi per la privacy e per il portaf...
 
Sicurezza Informatica 24 Settembre 2010
Sicurezza Informatica 24 Settembre 2010Sicurezza Informatica 24 Settembre 2010
Sicurezza Informatica 24 Settembre 2010
 
Cyber Security. Occorre maggiore attenzione.
Cyber Security. Occorre maggiore attenzione.Cyber Security. Occorre maggiore attenzione.
Cyber Security. Occorre maggiore attenzione.
 
ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?
ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?
ICT Security: dal passato al futuro. Abbiamo imparato a difenderci?
 
ICT SECURITY E PMI - SMAU Milano 2013
ICT SECURITY E PMI -  SMAU Milano 2013ICT SECURITY E PMI -  SMAU Milano 2013
ICT SECURITY E PMI - SMAU Milano 2013
 
La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013La sicurezza delle Web Application - SMAU Business Bari 2013
La sicurezza delle Web Application - SMAU Business Bari 2013
 
Il Cloud computing nel 2012 - il know aziendale è al sicuro
Il Cloud computing nel 2012 - il know aziendale è al sicuroIl Cloud computing nel 2012 - il know aziendale è al sicuro
Il Cloud computing nel 2012 - il know aziendale è al sicuro
 
SMAU Milano 2011 - AIPSI
SMAU Milano 2011 - AIPSISMAU Milano 2011 - AIPSI
SMAU Milano 2011 - AIPSI
 
Adolescenti salentini e social network
Adolescenti salentini e social networkAdolescenti salentini e social network
Adolescenti salentini e social network
 
SMAU 2011 Bari
SMAU 2011 BariSMAU 2011 Bari
SMAU 2011 Bari
 

Recently uploaded

Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 

Recently uploaded (20)

Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 

SVILUPPO WEB E SICUREZZA NEL 2014

  • 1. SVILUPPO WEB E SICUREZZA NEL 2014 Massimo Chirivì – 24/10/2014
  • 2. Chi sono • Dal 1988 con la passione dell’informatica • Dal 1996 al servizio delle aziende per lavoro • Dal 1998 al servizio della P.A. per il bene di tutti • Dal 2010 in una delle più grandi aziende ICT d’Italia. Di cosa mi occupo - Information Security - System Administrator - Ethical Hacking Condividere è un dovere etico… La condivisione è conoscenza.
  • 3. AIPSI – Associazione Italiana Professionisti Sicurezza Informatica AIPSI Capitolo Italiano di ISSA Associazione di singoli professionisti Oltre 10.000 esperti in tutto il mondo 200 soci in Italia
  • 4. AIPSI – Associazione Italiana Professionisti Sicurezza Informatica Obiettivi: • Organizzazione di forum educativi • Redazione di documenti e pubblicazioni specializzate • Interscambio di esperienze fra i professionisti del settore (nazionali e internazionali) • Riferimento per la ricerca di professionisti di sicurezza IT • Interazione con altre organizzazioni professionali • Rilascio di attestati e certificazioni specifiche
  • 5. SVILUPPO WEB E SICUREZZA NEL 2014 • Affrontare la sicurezza di una web application è uno dei compiti più difficili che uno sviluppatore deve considerare durante le fasi di sviluppo ed integrazione di un software o di un semplice sito web. • Le minacce presenti sul web sono sempre più numerose e ricercare vulnerabilità e metodi di attacco diventa sempre più semplice, anche per i meno esperti.
  • 6. SVILUPPO WEB E SICUREZZA NEL 2014 Distinguiamo innanzitutto le applicazioni COTS dalle CUSTOM Soffermiamoci sulle COTS: 1) Gran parte del web è realizzato con questo tipo di applicazioni (Joomla, Wordpress, Magento, Virtuemart, Alfresco, Liferay, ecc.ecc.) 2) Può essere sia commerciale che open source 3) Il codice sorgente è disponibile a tutti, anche ai malitenzionati! 4) Gli add-on o componenti aggiuntivi sono scritti non sempre in maniera corretta e contengono molte vulnerabilità 5) La ricerca su internet delle vulnerabilità e degli exploit è alcune volte banale. Come? JoomScan  http://sourceforge.net/projects/joomscan/ Secunia Database x verificare la vulnerabilità BurpSuite x crawling del sito web Osservare HTML con attenzione Osservare banner, footer, header Live http Headers for Firefox Browser Osservare gli URL: index.php?option=%component_name%&task=%xxx%&task=%value%
  • 7. SVILUPPO WEB E SICUREZZA NEL 2014 Analizziamo alcune vulnerabilità dei più famosi progetti Open Source. [20140904] - Core - Denial of Service •Project: Joomla! •SubProject: CMS •Severity: Low •Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 •Exploit type: Denial of Service •Reported Date: 2014-September-24 •Fixed Date: 2014-September-30 •CVE Number: CVE-2014-7229 Description Inadequate checking allowed the potential for a denial of service attack. Affected Installs Joomla! CMS versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 Solution Upgrade to version 2.5.26, 3.2.6, or 3.3.5
  • 8. SVILUPPO WEB E SICUREZZA NEL 2014 • [20140902] - Core - Unauthorised Logins • Project: Joomla! • SubProject: CMS • Severity: Moderate • Versions: 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x versions, 3.3.0 through 3.3.3 • Exploit type: Unauthorised Logins • Reported Date: 2014-September-09 • Fixed Date: 2014-September-23 • CVE Number: CVE-2014-6632 • Description • Inadequate checking allowed unauthorised logins via LDAP authentication. • Affected Installs • Joomla! CMS versions 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x versions, 3.3.0 through 3.3.3 • Solution • Upgrade to version 2.5.25, 3.2.5, or 3.3.4
  • 9. SVILUPPO WEB E SICUREZZA NEL 2014 • [20140901] - Core - XSS Vulnerability • Project: Joomla! • SubProject: CMS • Severity: Moderate • Versions: 3.2.0 through 3.2.4, 3.3.0 through 3.3.3 • Exploit type: XSS Vulnerability • Reported Date: 2014-August-27 • Fixed Date: 2014-September-23 • CVE Number: CVE-2014-6631 • Description • Inadequate escaping leads to XSS vulnerability in com_media. • Affected Installs • Joomla! CMS versions 3.2.0 through 3.2.4 and 3.3.0 through 3.3.3 • Solution • Upgrade to version 3.2.5 or 3.3.4
  • 10. SVILUPPO WEB E SICUREZZA NEL 2014 • [20140301] - Core - SQL Injection • Project: Joomla! • SubProject: CMS • Severity: High • Versions: 3.1.0 through 3.2.2 • Exploit type: SQL Injection • Reported Date: 2014-February-06 • Fixed Date: 2014-March-06 • CVE Number: Pending • Description • Inadequate escaping leads to SQL injection vulnerability. • Affected Installs • Joomla! CMS versions 3.1.0 through 3.2.2 • Solution • Upgrade to version 3.2.3
  • 11. SVILUPPO WEB E SICUREZZA NEL 2014
  • 12. SVILUPPO WEB E SICUREZZA NEL 2014 Secunia Advisory SA59670 Where: From remote Impact: Exposure of sensitive information, DoS, System access Solution Status: Vendor Patch Software: WordPress 3.x CVE Reference(s): CVE-2014-2053 CVE-2014-5203 Description Multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to disclose certain sensitive information or cause a DoS (Denial of Service) and potentially compromise a vulnerable system and by malicious people to cause a DoS. 1) An error in the xmlrpc.php script when expanding entity references can be exploited to exhaust memory and CPU resources via specially crafted XML data containing malicious attributes. 2) The wp-includes/class-wp-customize-widgets.php script uses the "unserialize()" function with user controlled input. This can be exploited to e.g. potentially execute arbitrary PHP code via a specially crafted serialized object. 3) The application bundles a vulnerable version of getID3(). For more information:SA57252 The vulnerabilities are reported in versions 3.9 and 3.9.1. Solution: Update to version 3.9.2.
  • 13. SVILUPPO WEB E SICUREZZA NEL 2014 Secunia Advisory SA57769 Where: From remote Impact: Security Bypass, Cross Site Scripting Solution Status: Vendor Patch Software: WordPress 3.x CVE Reference(s): CVE-2014-0165 CVE-2014-0166 Description Multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting and bypass certain security restrictions. 1) An error in the cookie keyed hash value verification can be exploited to gain unauthorized access. 2) An error when verifying the "publish_post" capability can be exploited to perform otherwise restricted operations e.g. publish new post with the Contributor role. 3) Certain unspecified input related to Plupload is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 3.8.2. Solution: Update to version 3.8.3.
  • 14. SVILUPPO WEB E SICUREZZA NEL 2014
  • 15. SVILUPPO WEB E SICUREZZA NEL 2014 Secunia Advisory SA60352 Where: From remote Impact: Manipulation of data Solution Status: Vendor Patch Software: Drupal 7.x CVE Reference(s): CVE-2014-3704 Description SektionEins has reported a vulnerability in Drupal, which can be exploited by malicious people to conduct SQL injection attacks. Certain input passed as array keys to the database abstraction API is not properly sanitised in the "Database::expandArguments()" method (includes/database/database.inc) before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is reported in versions prior to 7.32. Solution: Update to version 7.32.
  • 16. SVILUPPO WEB E SICUREZZA NEL 2014 Secunia Advisory SA56494 Where: From remote Impact: Hijacking, Security Bypass Solution Status: Vendor Patch Software: Drupal 6.x Drupal 7.x CVE Reference(s): CVE-2014-1475 CVE-2014-1476 Description A security issue and a vulnerability have been reported in Drupal, which can be exploited by malicious users to bypass certain security restrictions and hijack another user's account. 1) An unspecified error within the OpenID module can be exploited to hijack user accounts associated with one or more OpenID identities. This vulnerability is reported in 6.x versions prior to 6.30 and 7.x versions prior to 7.26. 2) An unspecified error within the Taxonomy module can be exploited to access unpublished content on certain restricted pages. NOTE: This security issue only affects installations which have been upgraded from Drupal versions 6.x or prior. This security issue is reported in 7.x versions prior to 7.26. Solution: Update to a fixed version.
  • 17. SVILUPPO WEB E SICUREZZA NEL 2014 Sitografia: • http://www.openwall.com/ • http://secunia.com/ • https://www.drupal.org/ • http://developer.joomla.org/ • https://wordpress.org/ • http://cve.mitre.org/ • http://nvd.nist.gov/
  • 18. Grazie per l’awtwtewn.mzaiossnimeochirivi.net info@massimochirivi.net Facebook Skype: mchirivi Linkedin Sito smau – www.smau.it Sito AIPSI -- www.aipsi.org Studia, prova, amplia, ricerca, analizza, migliora … … condividi con gli altri anche tu … sempre con il cappello bianco SVILUPPO WEB E SICUREZZA NEL 2014