Jaap Karan Singh, profile picture
Uploaded byJaap Karan Singh
PDF, PPTX118 views

Tales of modern day data breaches - a web security guide for developers

This document discusses common web application security vulnerabilities like SQL injection and insecure session management that can lead to data breaches. It provides examples of how vulnerabilities in user authentication and session handling can be exploited to compromise accounts or perform account takeovers. The key lessons are that all user input should be sanitized and parameterized queries used to prevent SQL injection. Session IDs also need to be unpredictable, time limited, and their transport secured to prevent session hijacking attacks. Secure development practices like least privilege access and secure coding guidelines are recommended to build applications securely.

Embed presentation

Download as PDF, PPTX
Tales of modern day data breaches - a web security guide for developers Jaap Karan Singh jaap@scw.io Co-Founder & Chief Singh, Secure Code Warrior
> Today’s challenges with software security
Of data breaches caused by software vulnerability ~ Verizon 21% Source: Verizon, Data Breach Report, 2018 (but in there the last 10 years)
of newly scanned applications had SQL injections over the past 5 yrs ~ Cisco 1 in 3 Source: Cybersecurity as a Growth Advantage, Cisco, 2016
> Data Breach #1: US Election Board Systems
Personal data of voters stolen by a teenager SQL Injection Understanding the data breach
Was it an Anonymous hacker lurking in the shadows? Script kiddie ALERT! Freely available tools and scripts used for the attack
A user submits his credentials using POST parameters. The parameters are appended to a database query string that is submitted to the database. The session cookie is returned to the browser; the user is now logged in. Client Web Server DB Server John Doe Username: John, Password: Doe SELECT * FROM Users WHERE Username = “John” AND Password = “Doe” Scenario 1: Normal authentication workflow The credentials are valid and the appropriate record is returned to the web server. Understanding the security vulnerability
A user submits his credentials using POST parameters. The parameters are appended to a database query string that is submitted to the database. The session cookie is returned to the browser; the user is now logged in. Client Web Server DB Server John Doe Username: John, Password: Doe SELECT * FROM Users WHERE Username = “John” AND Password = “Doe” Returned 1 Row (‘John’, ‘Doe’, ‘Admin’) Set-cookie: sessionid= FUHOJFB0I4BW121X7281 Scenario 1: Normal authentication workflow The credentials are valid and the appropriate record is returned to the web server. Understanding the security vulnerability
Understanding the security vulnerability SELECT * FROM Users WHERE Username = ‘admin’ AND Password = ‘abc’ OR 1=1;Username: admin, Password: abc’ OR 1=1; Web Server DB Server admin abc’ OR 1=1; Scenario 2: Authentication bypass The submitted input changes the logic of the query. Because of the always true condition, the password condition will be ignored! The session cookie is returned to the browser; the attacker is now logged in as administrator. The vulnerability is exploited in order to gain control to an account without providing a valid password. An attacker submits input values that will take advantage of the query.
Understanding the security vulnerability SELECT * FROM Users WHERE Username = ‘admin’ AND Password = ‘abc’ OR 1=1;Username: admin, Password: abc’ OR 1=1; Web Server DB Server admin Returned 1 Row (‘admin’, ‘John’, ‘admin’) Set-cookie: jsessionid= FUHOJFB0I4BW121X7281 abc’ OR 1=1; Scenario 2: Authentication bypass The submitted input changes the logic of the query. Because of the always true condition, the password condition will be ignored! The session cookie is returned to the browser; the attacker is now logged in as administrator. The vulnerability is exploited in order to gain control to an account without providing a valid password. An attacker submits input values that will take advantage of the query.
Realising the impact Altered data such as balance and transaction information could cause repudiation issues. System unavailability could cause revenue and reputation loss. Account and private data theft could damage reputation and credibility, causing customer and revenue loss.
Preventing the mistake Never concatenate user-controllable input with application SQL to form the query sent to the database. Consider GET and POST parameters, Cookies and other HTTP headers. Use parameterized queries. All of the popular development frameworks provide support for secure construction of database queries. insert_user_query = "INSERT INTO users (name, age, gender) VALUES (“ + request_user_name + “,” + request_user_age + “)"; insert_user = db.prepare(insert_user_query) insert_user.execute() insert_user = db.prepare "INSERT INTO users (name, age, gender) VALUES (?, ?)" insert_user.execute(request_user_name, request_user_age)
Preventing the mistake In addition, apply white-list validation on all user input. Consider GET and POST parameters, Cookies and other HTTP headers. Apply the least privilege principle on the database users.
How easy is it to exploit SQL injection? Follow along on your computer and find out!
> Data Breach #2: Facebook Access Tokens
50,000,000 accounts affected Access tokens exposed that keep users logged into Facebook Understanding the data breach
Do you have a login system in your applications? cookies && sessions Insecure Session Management
Understanding session management What are cookies? HTTP is a stateless protocol. Cookies can be used to track a user’s state by storing values related to the user’s actions. These cookie values are sent to and from the server and are stored in the client’s browser. When are cookies used? Cookies can be used to store an online shopping cart or browsing activities. Another usage are authentication cookies, which store the user’s session information to determine whether a user is logged in and which privileges are assigned to that user. Set-cookie: user=johndoe Cookie: user=johndoe How are cookies protected? Certain flags can be added when setting a cookie to limit its usage: • Secure – Avoid transmission over an insecure channel. • HttpOnly – Don’t let JavaScript read cookie value. • Domain – Set the domain for which the cookie is available. • Path – Set subfolders and pages for which the cookie is available. • Expires – Determine when the cookie should be deleted.
Understanding the security vulnerability An attacker logs into a site. The site uses a simple increment to generate session IDs. The attacker, noticing the predictability of the ID generation, deduces new ID’s, which he uses to browse back to the site. By being able to predict session ID’s he is able to impersonate the authenticated user and is allowed full access to the user’s account. After a few attempts, the attacker finds a session ID that is associated with another authenticated user. Web Application Cookie: sessionID=1234 Weak session token generation Authenticated User
Understanding the security vulnerability An attacker logs into a site. The site uses a simple increment to generate session IDs. The attacker, noticing the predictability of the ID generation, deduces new ID’s, which he uses to browse back to the site. By being able to predict session ID’s he is able to impersonate the authenticated user and is allowed full access to the user’s account. After a few attempts, the attacker finds a session ID that is associated with another authenticated user. Web Application Cookie: sessionID=1235 Cookie: sessionID=1234 Weak session token generation Authenticated User
Understanding the security vulnerability An attacker logs into a site. The site uses a simple increment to generate session IDs. The attacker, noticing the predictability of the ID generation, deduces new ID’s, which he uses to browse back to the site. By being able to predict session ID’s he is able to impersonate the authenticated user and is allowed full access to the user’s account. After a few attempts, the attacker finds a session ID that is associated with another authenticated user. Web Application Cookie: sessionID=1235 Cookie: sessionID=1234 Weak session token generation Cookie: sessionID=1234 Authenticated User Welcome ‘User’!
Understanding the security vulnerability An attacker browses to a site (without logging in) and is assigned a session ID. He wants to trick a victim into using this same session ID. A link to the login page is sent to the victim. The link contains the session ID of the attacker. The victim is tricked into clicking the link. The attacker resubmits a request with the session ID which is now associated with the authenticated victim. He has now access to the victim’s account. The victim logs in and, because of weak session management, is assigned the session ID provided by the attacker! Web Application Session fixation Set-Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS
Understanding the security vulnerability Please update your password: GET /login?SESSIONID=E34G0JS An attacker browses to a site (without logging in) and is assigned a session ID. He wants to trick a victim into using this same session ID. A link to the login page is sent to the victim. The link contains the session ID of the attacker. The victim is tricked into clicking the link. The attacker resubmits a request with the session ID which is now associated with the authenticated victim. He has now access to the victim’s account. The victim logs in and, because of weak session management, is assigned the session ID provided by the attacker! Web Application Session fixation Victim Set-Cookie: sessionID=E34G0JS Set-Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS
Understanding the security vulnerability Please update your password: GET /login?SESSIONID=E34G0JS An attacker browses to a site (without logging in) and is assigned a session ID. He wants to trick a victim into using this same session ID. A link to the login page is sent to the victim. The link contains the session ID of the attacker. The victim is tricked into clicking the link. The attacker resubmits a request with the session ID which is now associated with the authenticated victim. He has now access to the victim’s account. The victim logs in and, because of weak session management, is assigned the session ID provided by the attacker! Web Application Session fixation Victim Set-Cookie: sessionID=E34G0JS Set-Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS GET /profile?SESSIONID=E34G0JS Welcome ‘Victim’ Cookie: sessionID=E34G0JS
Realizing the impact Weak session management allows attacks on the session ID. Having a user’s session ID is basically the same as getting that user’s login and password. A stolen administrator account could lead to disruption of the website, causing loss of customers and revenue. Due to account theft, sensitive end-user (customer) data could be stolen, leading to reputational damage and revenue loss
Preventing the mistake Session ID properties must be secure. Unpredictable, time limited, single session. Use session management features provided by your development framework. Store sessions IDs in cookies. Protect session cookies appropriately. Expiry timestamp, path, secure flag, invalidate on logout. Secure the transport layer. See “Insufficient Transport Layer Protection”
How easy is it to exploit session management vulnerabilities? Follow along on your computer and find out!
> Lessons learnt
Secure coding commandments
Uplift your security game Classroom training eLearning
Play the long game Dependency management Create secure coding guidelines Build relationship with application security team 01 02 03
Are you ready to be a superhero?

More Related Content

PPTX
SCWCD : Secure web
byBen Abdallah Helmi
 
PDF
International Journal of Engineering Inventions (IJEI)
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
PDF
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
byIRJET Journal
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
PDF
Stateless authentication for microservices - Greach 2015
byAlvaro Sanchez-Mariscal
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PDF
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
byIJNSA Journal
 
SCWCD : Secure web
byBen Abdallah Helmi
 
International Journal of Engineering Inventions (IJEI)
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
byIRJET Journal
 
Oauth 2.0 security
byvinoth kumar
 
Stateless authentication for microservices - Greach 2015
byAlvaro Sanchez-Mariscal
 
An Introduction to OAuth2
byAaron Parecki
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
byIJNSA Journal
 

What's hot

PPTX
OAuth2 & OpenID Connect
byMarcin Wolnik
 
PDF
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
PDF
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
PDF
Seminar2015Bilic_Nicole
byNicole Bili?
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PDF
Authentication techniques
byIGZ Software house
 
PDF
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
PDF
Hacking the Web
byMike Crabb
 
PDF
2013 OWASP Top 10
bybilcorry
 
PDF
Stateless token-based authentication for pure front-end applications
byAlvaro Sanchez-Mariscal
 
PDF
Intrusion detection architecture for different network attacks
byeSAT Journals
 
PDF
Identity theft blue4it nljug
byBrian Vermeer
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
PDF
From 0 to Spring Security 4.0
byrobwinch
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
byJava User Group Latvia
 
PPTX
O auth2 with angular js
byBixlabs
 
PDF
Paul Lammertsma: Account manager & sync
bymdevtalk
 
OAuth2 & OpenID Connect
byMarcin Wolnik
 
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
Seminar2015Bilic_Nicole
byNicole Bili?
 
Owasp top 10 2013
byEdouard de Lansalut
 
Authentication techniques
byIGZ Software house
 
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
Hacking the Web
byMike Crabb
 
2013 OWASP Top 10
bybilcorry
 
Stateless token-based authentication for pure front-end applications
byAlvaro Sanchez-Mariscal
 
Intrusion detection architecture for different network attacks
byeSAT Journals
 
Identity theft blue4it nljug
byBrian Vermeer
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
From 0 to Spring Security 4.0
byrobwinch
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
byJava User Group Latvia
 
O auth2 with angular js
byBixlabs
 
Paul Lammertsma: Account manager & sync
bymdevtalk
 

Similar to Tales of modern day data breaches - a web security guide for developers

PPTX
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
PDF
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
byimgautam076
 
PPTX
State of the information security nation
bySensePost
 
PPT
Updated Mvc Web security updated presentation
byJohn Staveley
 
PPT
Intro to Web Application Security
byRob Ragan
 
PPTX
OWASP top 10-2013
bytmd800
 
PPT
Phpnw security-20111009
byPaul Lemon
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
Securing the Web @RivieraDev2016
bySumanth Damarla
 
PPTX
Ethical Hacking Techniques for Web Application Security
byBoston Institute of Analytics
 
PPT
Web security presentation
byJohn Staveley
 
PPTX
Secure Software Engineering
byRohitha Liyanagama
 
PDF
Devbeat Conference - Developer First Security
byMichael Coates
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PDF
Hijacking a Pizza Delivery Robot (using SQL injection)
byPriyanka Aash
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PPTX
Web Application Vulnerabilities
byPreetish Panda
 
PDF
Web application sec_3
byvhimsikal
 
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
byimgautam076
 
State of the information security nation
bySensePost
 
Updated Mvc Web security updated presentation
byJohn Staveley
 
Intro to Web Application Security
byRob Ragan
 
OWASP top 10-2013
bytmd800
 
Phpnw security-20111009
byPaul Lemon
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Securing the Web @RivieraDev2016
bySumanth Damarla
 
Ethical Hacking Techniques for Web Application Security
byBoston Institute of Analytics
 
Web security presentation
byJohn Staveley
 
Secure Software Engineering
byRohitha Liyanagama
 
Devbeat Conference - Developer First Security
byMichael Coates
 
Security Testing Training With Examples
byAlwin Thayyil
 
Hijacking a Pizza Delivery Robot (using SQL injection)
byPriyanka Aash
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Web Application Vulnerabilities
byPreetish Panda
 
Web application sec_3
byvhimsikal
 

Recently uploaded

PPTX
application security presentation 2 by harman
byharmanideapad
 
PDF
Coding Assessment Tools .pdf
byCodexpro
 
PPTX
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
PPTX
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
PPTX
Custom chat gpt integration services.pptx
byChetu
 
PPTX
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PPTX
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PPTX
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PDF
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
PDF
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
PPTX
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 
PPTX
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
application security presentation 2 by harman
byharmanideapad
 
Coding Assessment Tools .pdf
byCodexpro
 
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
Custom chat gpt integration services.pptx
byChetu
 
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 

Tales of modern day data breaches - a web security guide for developers

  • 1.
    Tales of modernday data breaches - a web security guide for developers Jaap Karan Singh jaap@scw.io Co-Founder & Chief Singh, Secure Code Warrior
  • 2.
    > Today’s challengeswith software security
  • 3.
    Of data breachescaused by software vulnerability ~ Verizon 21% Source: Verizon, Data Breach Report, 2018 (but in there the last 10 years)
  • 4.
    of newly scannedapplications had SQL injections over the past 5 yrs ~ Cisco 1 in 3 Source: Cybersecurity as a Growth Advantage, Cisco, 2016
  • 5.
    > Data Breach#1: US Election Board Systems
  • 6.
    Personal data ofvoters stolen by a teenager SQL Injection Understanding the data breach
  • 7.
    Was it anAnonymous hacker lurking in the shadows? Script kiddie ALERT! Freely available tools and scripts used for the attack
  • 8.
    A user submitshis credentials using POST parameters. The parameters are appended to a database query string that is submitted to the database. The session cookie is returned to the browser; the user is now logged in. Client Web Server DB Server John Doe Username: John, Password: Doe SELECT * FROM Users WHERE Username = “John” AND Password = “Doe” Scenario 1: Normal authentication workflow The credentials are valid and the appropriate record is returned to the web server. Understanding the security vulnerability
  • 9.
    A user submitshis credentials using POST parameters. The parameters are appended to a database query string that is submitted to the database. The session cookie is returned to the browser; the user is now logged in. Client Web Server DB Server John Doe Username: John, Password: Doe SELECT * FROM Users WHERE Username = “John” AND Password = “Doe” Returned 1 Row (‘John’, ‘Doe’, ‘Admin’) Set-cookie: sessionid= FUHOJFB0I4BW121X7281 Scenario 1: Normal authentication workflow The credentials are valid and the appropriate record is returned to the web server. Understanding the security vulnerability
  • 10.
    Understanding the securityvulnerability SELECT * FROM Users WHERE Username = ‘admin’ AND Password = ‘abc’ OR 1=1;Username: admin, Password: abc’ OR 1=1; Web Server DB Server admin abc’ OR 1=1; Scenario 2: Authentication bypass The submitted input changes the logic of the query. Because of the always true condition, the password condition will be ignored! The session cookie is returned to the browser; the attacker is now logged in as administrator. The vulnerability is exploited in order to gain control to an account without providing a valid password. An attacker submits input values that will take advantage of the query.
  • 11.
    Understanding the securityvulnerability SELECT * FROM Users WHERE Username = ‘admin’ AND Password = ‘abc’ OR 1=1;Username: admin, Password: abc’ OR 1=1; Web Server DB Server admin Returned 1 Row (‘admin’, ‘John’, ‘admin’) Set-cookie: jsessionid= FUHOJFB0I4BW121X7281 abc’ OR 1=1; Scenario 2: Authentication bypass The submitted input changes the logic of the query. Because of the always true condition, the password condition will be ignored! The session cookie is returned to the browser; the attacker is now logged in as administrator. The vulnerability is exploited in order to gain control to an account without providing a valid password. An attacker submits input values that will take advantage of the query.
  • 12.
    Realising the impact Altereddata such as balance and transaction information could cause repudiation issues. System unavailability could cause revenue and reputation loss. Account and private data theft could damage reputation and credibility, causing customer and revenue loss.
  • 13.
    Preventing the mistake Neverconcatenate user-controllable input with application SQL to form the query sent to the database. Consider GET and POST parameters, Cookies and other HTTP headers. Use parameterized queries. All of the popular development frameworks provide support for secure construction of database queries. insert_user_query = "INSERT INTO users (name, age, gender) VALUES (“ + request_user_name + “,” + request_user_age + “)"; insert_user = db.prepare(insert_user_query) insert_user.execute() insert_user = db.prepare "INSERT INTO users (name, age, gender) VALUES (?, ?)" insert_user.execute(request_user_name, request_user_age)
  • 14.
    Preventing the mistake Inaddition, apply white-list validation on all user input. Consider GET and POST parameters, Cookies and other HTTP headers. Apply the least privilege principle on the database users.
  • 15.
    How easy isit to exploit SQL injection? Follow along on your computer and find out!
  • 16.
    > Data Breach#2: Facebook Access Tokens
  • 17.
    50,000,000 accounts affected Accesstokens exposed that keep users logged into Facebook Understanding the data breach
  • 18.
    Do you havea login system in your applications? cookies && sessions Insecure Session Management
  • 19.
    Understanding session management Whatare cookies? HTTP is a stateless protocol. Cookies can be used to track a user’s state by storing values related to the user’s actions. These cookie values are sent to and from the server and are stored in the client’s browser. When are cookies used? Cookies can be used to store an online shopping cart or browsing activities. Another usage are authentication cookies, which store the user’s session information to determine whether a user is logged in and which privileges are assigned to that user. Set-cookie: user=johndoe Cookie: user=johndoe How are cookies protected? Certain flags can be added when setting a cookie to limit its usage: • Secure – Avoid transmission over an insecure channel. • HttpOnly – Don’t let JavaScript read cookie value. • Domain – Set the domain for which the cookie is available. • Path – Set subfolders and pages for which the cookie is available. • Expires – Determine when the cookie should be deleted.
  • 20.
    Understanding the securityvulnerability An attacker logs into a site. The site uses a simple increment to generate session IDs. The attacker, noticing the predictability of the ID generation, deduces new ID’s, which he uses to browse back to the site. By being able to predict session ID’s he is able to impersonate the authenticated user and is allowed full access to the user’s account. After a few attempts, the attacker finds a session ID that is associated with another authenticated user. Web Application Cookie: sessionID=1234 Weak session token generation Authenticated User
  • 21.
    Understanding the securityvulnerability An attacker logs into a site. The site uses a simple increment to generate session IDs. The attacker, noticing the predictability of the ID generation, deduces new ID’s, which he uses to browse back to the site. By being able to predict session ID’s he is able to impersonate the authenticated user and is allowed full access to the user’s account. After a few attempts, the attacker finds a session ID that is associated with another authenticated user. Web Application Cookie: sessionID=1235 Cookie: sessionID=1234 Weak session token generation Authenticated User
  • 22.
    Understanding the securityvulnerability An attacker logs into a site. The site uses a simple increment to generate session IDs. The attacker, noticing the predictability of the ID generation, deduces new ID’s, which he uses to browse back to the site. By being able to predict session ID’s he is able to impersonate the authenticated user and is allowed full access to the user’s account. After a few attempts, the attacker finds a session ID that is associated with another authenticated user. Web Application Cookie: sessionID=1235 Cookie: sessionID=1234 Weak session token generation Cookie: sessionID=1234 Authenticated User Welcome ‘User’!
  • 23.
    Understanding the securityvulnerability An attacker browses to a site (without logging in) and is assigned a session ID. He wants to trick a victim into using this same session ID. A link to the login page is sent to the victim. The link contains the session ID of the attacker. The victim is tricked into clicking the link. The attacker resubmits a request with the session ID which is now associated with the authenticated victim. He has now access to the victim’s account. The victim logs in and, because of weak session management, is assigned the session ID provided by the attacker! Web Application Session fixation Set-Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS
  • 24.
    Understanding the securityvulnerability Please update your password: GET /login?SESSIONID=E34G0JS An attacker browses to a site (without logging in) and is assigned a session ID. He wants to trick a victim into using this same session ID. A link to the login page is sent to the victim. The link contains the session ID of the attacker. The victim is tricked into clicking the link. The attacker resubmits a request with the session ID which is now associated with the authenticated victim. He has now access to the victim’s account. The victim logs in and, because of weak session management, is assigned the session ID provided by the attacker! Web Application Session fixation Victim Set-Cookie: sessionID=E34G0JS Set-Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS
  • 25.
    Understanding the securityvulnerability Please update your password: GET /login?SESSIONID=E34G0JS An attacker browses to a site (without logging in) and is assigned a session ID. He wants to trick a victim into using this same session ID. A link to the login page is sent to the victim. The link contains the session ID of the attacker. The victim is tricked into clicking the link. The attacker resubmits a request with the session ID which is now associated with the authenticated victim. He has now access to the victim’s account. The victim logs in and, because of weak session management, is assigned the session ID provided by the attacker! Web Application Session fixation Victim Set-Cookie: sessionID=E34G0JS Set-Cookie: sessionID=E34G0JS Cookie: sessionID=E34G0JS GET /profile?SESSIONID=E34G0JS Welcome ‘Victim’ Cookie: sessionID=E34G0JS
  • 26.
    Realizing the impact Weaksession management allows attacks on the session ID. Having a user’s session ID is basically the same as getting that user’s login and password. A stolen administrator account could lead to disruption of the website, causing loss of customers and revenue. Due to account theft, sensitive end-user (customer) data could be stolen, leading to reputational damage and revenue loss
  • 27.
    Preventing the mistake SessionID properties must be secure. Unpredictable, time limited, single session. Use session management features provided by your development framework. Store sessions IDs in cookies. Protect session cookies appropriately. Expiry timestamp, path, secure flag, invalidate on logout. Secure the transport layer. See “Insufficient Transport Layer Protection”
  • 28.
    How easy isit to exploit session management vulnerabilities? Follow along on your computer and find out!
  • 29.
  • 30.
  • 31.
    Uplift your securitygame Classroom training eLearning
  • 32.
    Play the longgame Dependency management Create secure coding guidelines Build relationship with application security team 01 02 03
  • 33.
    Are you readyto be a superhero?