Uploaded byguest66dc5f
PPT, PDF282 views

Varun-Subtle_Security_flaws

Varun Sharma from Microsoft India identifies 5 common authentication and authorization flaws in web applications: 1. Custom authentication is implemented instead of using proven system methods. 2. Rule-based authorization is not considered, with authorization relying only on disabling UI elements. 3. Input validation only checks for blacklisted characters instead of whitelisting allowed values. 4. Cryptography is improperly implemented without understanding what security mechanisms provide. 5. Applications are vulnerable to denial of service attacks from excessive automated requests.

Embed presentation

Download to read offline
Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India
Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation Flaw – 4 Improper use of Crypto Flaw – 5 App layer DOS attack
Site implements custom forms authentication Buggy code Demo
Principles:- Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
Authorization implemented by disabling UI Rule based authorization not considered Demo
Principles:- Do not rely on UI for authorization Disabled buttons is not authorization Consider rule based authorization in your design
Only set of bad characters are checked for Becomes vulnerable in special situations Demo
Principles:- Validate for valid allowed values (white list) If white list validation is not possible, Encode to prevent XSS Parameterize to prevent SQL Injection…
Not knowing what services are provided by what mechanisms For example, what services do Digital Signatures provide? Demo
Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST
Principles:- Know what service each mechanism provides Do not implement crypto mechanisms yourself Use system provided methods
Book movie ticket Screen 1 for User 1
Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- … . Click to Book
Book movie ticket Screen 1 for User 2
Book movie ticket Screen 1 for User 2 after 7 minutes
Principles:- Use CAPTCHA to avoid automated attacks Design with security in mind
 

More Related Content

PPT
Computer viruses
bynkosana cusson ngwenya
 
PDF
Computer hardware software and firmware
bynafisarayhana1
 
PDF
Foca_sbatc
byguest66dc5f
 
PPT
arma05-era
byguest66dc5f
 
PPT
Media and Public Health Law
byguest66dc5f
 
PPT
05_Day_1_Lackner
byguest66dc5f
 
PPT
01_Day_1_Oxburgh
byguest66dc5f
 
PDF
Golfphotos
byguest66dc5f
 
Computer viruses
bynkosana cusson ngwenya
 
Computer hardware software and firmware
bynafisarayhana1
 
Foca_sbatc
byguest66dc5f
 
arma05-era
byguest66dc5f
 
Media and Public Health Law
byguest66dc5f
 
05_Day_1_Lackner
byguest66dc5f
 
01_Day_1_Oxburgh
byguest66dc5f
 
Golfphotos
byguest66dc5f
 

Similar to Varun-Subtle_Security_flaws

PPT
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
ODP
OWASP Secure Coding
bybilcorry
 
PPT
1 security goals
bydrewz lin
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
PPT
Application Security
byflorinc
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PPT
Web Application Security Testing
byMarco Morana
 
PPT
Hack applications
byenrizmoore
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PPT
Developing Secure Applications and Defending Against Common Attacks
byPayPalX Developer Network
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PPT
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Session4-Authentication
byzakieh alizadeh
 
PDF
Web application security (eng)
byAnatoliy Okhotnikov
 
PPTX
Application Security TRENDS – Lessons Learnt- Firosh Ummer
byOWASP-Qatar Chapter
 
PDF
Mr. Burhan Khalid - secure dev.
bynooralmousa
 
PDF
Secured Development
byBurhan Khalid
 
PPTX
Web security for app developers
byPablo Gazmuri
 
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
OWASP Secure Coding
bybilcorry
 
1 security goals
bydrewz lin
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Application Security
byflorinc
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
Web Application Security Testing
byMarco Morana
 
Hack applications
byenrizmoore
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
Developing Secure Applications and Defending Against Common Attacks
byPayPalX Developer Network
 
Secure code practices
byHina Rawal
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
Session4-Authentication
byzakieh alizadeh
 
Web application security (eng)
byAnatoliy Okhotnikov
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
byOWASP-Qatar Chapter
 
Mr. Burhan Khalid - secure dev.
bynooralmousa
 
Secured Development
byBurhan Khalid
 
Web security for app developers
byPablo Gazmuri
 

More from guest66dc5f

PPT
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
byguest66dc5f
 
PDF
golf
byguest66dc5f
 
PDF
Rahul-Analysis_of_Adversarial_Code
byguest66dc5f
 
PDF
Ajit-Legiment_Techniques
byguest66dc5f
 
PPT
Sunil-Hacking_firefox
byguest66dc5f
 
PPT
Dror-Crazy_toaster
byguest66dc5f
 
PDF
Shreeraj-Hacking_Web_2
byguest66dc5f
 
PDF
WHITEPAPER-7_years_of_Indian_Cyber_Law
byguest66dc5f
 
PPT
Rohas-7_years_of_indian_cyber_laws
byguest66dc5f
 
PDF
David-FPGA
byguest66dc5f
 
PDF
David-FPGA
byguest66dc5f
 
PPT
Os Timed Original
byguest66dc5f
 
PDF
NR-golf-sept07
byguest66dc5f
 
PDF
NR-golf-sept07
byguest66dc5f
 
PPT
CostofWarinIraq
byguest66dc5f
 
PDF
GolfLakeCity_002
byguest66dc5f
 
PPT
Freaky car number plates
byguest66dc5f
 
PPT
Awesome car collection
byguest66dc5f
 
PPT
Control your entire house with your iPhone
byguest66dc5f
 
PDF
longisland_golf_07
byguest66dc5f
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
byguest66dc5f
 
golf
byguest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
byguest66dc5f
 
Ajit-Legiment_Techniques
byguest66dc5f
 
Sunil-Hacking_firefox
byguest66dc5f
 
Dror-Crazy_toaster
byguest66dc5f
 
Shreeraj-Hacking_Web_2
byguest66dc5f
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
byguest66dc5f
 
Rohas-7_years_of_indian_cyber_laws
byguest66dc5f
 
David-FPGA
byguest66dc5f
 
David-FPGA
byguest66dc5f
 
Os Timed Original
byguest66dc5f
 
NR-golf-sept07
byguest66dc5f
 
NR-golf-sept07
byguest66dc5f
 
CostofWarinIraq
byguest66dc5f
 
GolfLakeCity_002
byguest66dc5f
 
Freaky car number plates
byguest66dc5f
 
Awesome car collection
byguest66dc5f
 
Control your entire house with your iPhone
byguest66dc5f
 
longisland_golf_07
byguest66dc5f
 

Recently uploaded

PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
December Patch Tuesday
byIvanti
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

Varun-Subtle_Security_flaws

  • 1.
    Varun Sharma ApplicationConsulting and Engineering (ACE) Team, Microsoft India
  • 2.
    Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation Flaw – 4 Improper use of Crypto Flaw – 5 App layer DOS attack
  • 3.
    Site implements customforms authentication Buggy code Demo
  • 4.
    Principles:- Use wellknown and time tested, system provided methods for authentication. Avoid writing custom authentication code.
  • 5.
    Authorization implemented bydisabling UI Rule based authorization not considered Demo
  • 6.
    Principles:- Do notrely on UI for authorization Disabled buttons is not authorization Consider rule based authorization in your design
  • 7.
    Only set ofbad characters are checked for Becomes vulnerable in special situations Demo
  • 8.
    Principles:- Validate forvalid allowed values (white list) If white list validation is not possible, Encode to prevent XSS Parameterize to prevent SQL Injection…
  • 9.
    Not knowing whatservices are provided by what mechanisms For example, what services do Digital Signatures provide? Demo
  • 10.
    Product 1 ‘sSite Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST
  • 11.
    Principles:- Know whatservice each mechanism provides Do not implement crypto mechanisms yourself Use system provided methods
  • 12.
    Book movie ticketScreen 1 for User 1
  • 13.
    Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- … . Click to Book
  • 14.
    Book movie ticket Screen 1 for User 2
  • 15.
    Book movie ticket Screen 1 for User 2 after 7 minutes
  • 16.
    Principles:- Use CAPTCHAto avoid automated attacks Design with security in mind
  • 17.

Editor's Notes

  • #2 I will be presenting five subtle and interesting flaws in applications.