The document discusses security considerations for Web 2.0 applications. It begins with an overview of the evolution of Web 2.0 and its key characteristics that impact security, such as user-generated content and integration of data from different sources. The document then analyzes common Web 2.0 vulnerabilities like XSS, injection flaws, and broken authentication. It provides examples of how these vulnerabilities can be exploited in Web 2.0 and their root causes. Finally, the document outlines steps for building secure Web 2.0 applications, including threat modeling, secure code reviews, testing, and risk management.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
This presentation articulates a key trend I'm seeing in technology delivery. Namely, the need to "right-size the rigor" applied using risk-based methods.
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement.
Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
Abstract: The Building Security In Maturity Model (or BSIMM)
BSIMM observes and measures what firms' software security initiatives are actually doing. John, who has helped several firms build or improve their security initiatives, will share sometimes surprising data about security initiatives big and small. His presentation will focus on what
activities organizations use to "boot" security initiatives and which they presently focus on.
This presentation is for Chartered Accountants on Web 2.0. It discusses the opportunities offered by social media. Risk and management of risk of social media is discussed.
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
This is my MBA project paper of the External Audit course. The project paper was tapped to the hottest topics of the U.S. economic crisis in 2008, three months after the collapse of the biggest U.S. bank institution.
The author incorporated the audit principles in analyzing the root causes of the U.S. economic crisis and how this disaster can be avoided.
Continuing in your role as a human service provider for your local.docxrichardnorman90310
Continuing in your role as a human service provider for your local community, your manager has asked you to write an opinion piece for the local newspaper discussing gaps in prison and jail services in their state.
Write an opinion article that is 900 words. Complete the following in your article:
· Describe the major beliefs of 4 criminological theories.
· For each criminological theory, explain what human services should be provided to inmates.
· Of the services identified for each criminological theory, list the services that are not currently provided by your local or state agencies.
· Discuss your personal beliefs related to which human services should be provided by your local or state agencies.
· Discuss a conclusion focused on changes in human services you would like to see made by your local or state agencies.
Lab-8: Web Hacking
Websites have always been among the first targets of hackers. There are many reasons for this. These are the most important ones:
1) Websites have to be reachable from the Internet. Their primary purpose is to publish something or provide some service for the public
2) There are more than 1 billion websites as almost every organization, and many individuals have websites
3) As opposed to the earlier years of the world wide web, websites are very dynamic today. They come with forms and dynamic applications implemented by many different frontend and backend technologies. A wide variety of dynamic applications not only bring more functionality to web applications but also introduces vulnerabilities.
As a result, we are talking about something valuable that is billions in amount, accessible by anybody, and a commonplace for wrong implementation and vulnerabilities.Section-1: Exploit Cross-Site Scripting (XSS) Vulnerability
An XSS attack enables malicious users to inject client-side scripts such as JavaScript codes into web pages viewed by other users. The term XSS is used to describe both the vulnerability and the attack type, such as XSS attack / XSS vulnerability on the web application.
1) Log into Windows 7 Attacker on the Netlab environment.
2) Open Firefox by clicking the icon on the desktop or start menu
3) Visit this page
http://192.168.2.15/dvwa/login.php
This is the "Damn Vulnerable Web Application" hosted on the OWASP BWA machine on Netlab.
4)
Log in to web application by typing
user as Username and
user as Password. After logging in, you will see the page below.
5) Click on the XSS reflected on the left menu and type your nickname into the textbook at the right pane of the webpage. (I typed "ethical" and clicked the submit button. The web application gets what you typed as the input, add Hello to the beginning, and prints to the screen.
6)
Try some basic HTML tags now. Type
<h1>your nickname</h1>
I typed "<h1>ethical</h1> and then clicked submit button. I confirm .
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
3. OWASP 3
Agenda For Today’s Presentation
1. The Evolution of Web 2.0
2. Web 2.0 Vulnerability Analysis
3. Building Secure Web 2.0 Applications
4. Web 2.0 Risk Management
5. OWASP
General Web 2.0 Background
5
Can be defined as: “Web applications that facilitate interactive
information sharing and collaboration, interoperability, and
user-centered design on the World Wide Web”
… the main characteristics of web 2.0 are:
1. Encourage user’s participation and collaboration through a
virtual community of social networks/sites. Users can and add and
update their own content, examples include Twitter and social
networks such as Facebook, Myspace, LinkedIn, YouTube
2. Transcend from the technology/frameworks used AJAX,
Adobe AIR, Flash, Flex, Dojo, Google Gears and others
3. Combine and aggregate data and functionality from
different applications and systems, example include
“mashups” as aggregators of client functionality provided by
different in-house developed and/or third party services (e.g. web
services, SaaS)
6. OWASP
Web 2.0 As Evolution of Human Knowledge
Source http://digigogy.blogspot.com/2009/02/digital-blooms-visual.html
8. OWASP
How Web 2.0 Changes The Threat Landscape
Web 1.0 threats are amplified by the intrinsic nature of
Web 2.0 such as expanded interaction model and use of both old
and new Web 2.0 technologies, examples:
Social networks as target for attack users with malware,
FaceBook is 350 Million users !
Web 2.0 prone to Web 1.0 vulnerabilities such as XSS,
CSRF, Phishing, Injection Flaws
Web 2.0 enable more effective attacks because of sharing
and integration between disparate systems, examples are:
Complexity of integration of different technologies and
services, front-end/client and back-end/server
Rich client interfaces increase the attack surface and
the likelihood of business logic attacks
Social networks facilitate information disclosure of
confidential PII, examples are:
Abuse of user’s trust first-verify model by attackers
Sharing data model breaks boundaries of
confidentiality, not clear boundaries between private vs.
public, personal life vs. professional life
11. OWASP
Top 50 WASC Threats and Top 10 OWASP Risks
Especially Impacting Web 2.0
12. OWASP
WASC-23 XML INJECTION, WASC-29 XPATH
INJECTION, OWASP A1: INJECTION FLAWS
WEB 2.0 EXPLOIT SCENARIOS:
XML INJECTION/POISONING
User-supplied input is inserted into XML without
sufficient validation affecting the structure of the XML
record and the tags (and not just content)
XPATH INJECTION
XPath injection is an attack to alter an XML query to
achieve the attacker’s goals
JSON INJECTION
An attacker can force execution of malicious code by
injecting malicious JavaScript code into the JSON
(JavaScript Object Notation structure) on the client.
RSS FEED INJECTION
RSS feeds can consume un-trusted sources injected
with XSS
WEB 2.0 KNOWN INCIDENT EXAMPLE:
WHID 2008-47: The Federal Suppliers Guide validates login
credential in JavaScript -
13. OWASP
WASC-08/OWASP A2: CROSS SITE SCRIPTING (XSS)
WEB 2.0 EXPLOIT SCENARIOS:
INSUFFICIENT LIMITS ON USER INPUT
Users are allowed to enter HTML data that can be
potentially malicious (e.g. while creating contents such as
networks, blogs or wikis)
Users have extensive control over user content
including unsafe HTML tags that can be abused for XSS
INSUFFICIENT FILTERING FOR XSS DOM
XSS exposure is increased for Web 2.0 especially for
XSS DOM since is used in RIA written in FLASH or
Silverlight, Mashups and Widgets using DOM
AJAX increases the entry points for potential XSS
injections
WEB 2.0 KNOWN INCIDENT EXAMPLE:
WHID 2008-32: Yahoo HotJobs XSS
Hackers exploiting an XSS vulnerability on Yahoo HotJobs to
steal session cookies of victims
14. OWASP
WASC-01: INSUFFICIENT AUTHENTICATION
OWASP-A3: BROKEN AUTHENTICATION AND SESSION
MANAGEMENT
WEB 2.0 EXPLOIT SCENARIOS:
WEAK PASSWORDS
User choice of simple-to-guess passwords and trivial
password-reminder questions set by on-line site contributors
CLEAR TEXT PASSWORDS
Password stored in AJAX Widgets/Mashups sent and
stored in clear outside the control of the host
INSUFFICIENT PASSWORD MANAGEMENT CONTROLS
Password recovery/reminders not protected from
brute force attacks
SINGLE-SIGN-ON DESIGN FLAWS
Passwords stored in personalized homepage and in the
desktop widget as “autologon feature” or in the cloud
to SSO from the desktop
WEB 2.0 KNOWN INCIDENT EXAMPLE:
WHID 2009-2: Twitter Accounts of the Famous Hacked
15. OWASP
WASC-09/OWASP A5: CROSS SITE REQUEST
FORGERY (CSRF)
WEB 2.0 EXPLOIT SCENARIOS:
CSRF USING AJAX REQUESTS
XHR calls enable invisible queries of a web application
by the client that user cannot visually validate for forgery
INSUFFICIENT BROWSER ENFORCEMENT OF SINGLE
ORIGIN POLICY
Desktop widgets do not have the same SOA
protection as browser applications and faciilitate CSRF
WEAK SESSION MANAGEMENT
Session expiration times are typically quite high,
increasing the risk of session base attacks such as CSRF
Persistent session cookies are shared by Widgets
increase the opportunities for CSRF attacks
WEB 2.0 KNOWN INCIDENT EXAMPLE:
WHID 2009-4: Twitter Personal Info CSRF -By exploiting a CSRF
bug in Twitter, site owners can get Twitter profiles of their
visitors.
16. OWASP
WASC-21: INSUFFICIENT ANTI-AUTOMATION
WEB 2.0 EXPLOIT SCENARIOS:
AUTOMATIC SPREAD OF SPAM AND PHISHING LINKS
Spammers can automatically post links to increase the
popularity ranking of site
Fraudsters can use automation to embed malicious
links such as malicious advertisements for drive by download
malware attacks
AUTOMATIC REGISTRATION OF USER ACCOUNTS
Scripts to automatically register web e-mail accounts
in order to authenticate to other services/applications
AUTOMATIC EMBEDDING OF COMMANDS
Embedding commands for controlling botnet using RSS
feeds, social networking sites
AUTOMATIC BUSINESS LOGIC EXPLOITS
Automatically bid on items to increase prices, resource
exhaustion of available seats, buy and resale tickets
WEB 2.0 KNOWN INCIDENT EXAMPLE:
WHID 2007-65: Botnet to manipulate Facebook
18. OWASP
WASC Classification of Root Causes Of Web
2.0 Vulnerabilities
1. USER GENERATED CONTENT
Ability of consumers to add and update their own content
2. MASHUPS & WEB SERVICES
Aggregation of data on the desktop through mashups and web
services
3. DATA CONVERGENCE
No boundary between private and public information
4. DIVERSITY OF CLIENT SOFTWARE
Data and software functions available across many different
technologies and environments
5. COMPLEXITY & ASYNCHRONOUS OPERATION
Increased user interaction, integration APIs lead to complexity one
of which is AJAX
19. OWASP
Summary of Top Web 2.0 Security Threats
VULNERABILITY EXPLOIT SCENARIO WEB 2.0 ROOT CAUSES
V1: INSUFFICIENT
AUTHENTICATION
CONTROLS
V1.1 WEAK PASSWORDS
V1.2 INSUFFICIENT ANTI-BRUTE FORCE CONTROLS
V1.3 CLEAR TEXT PASSWORDS
V1.4 SINGLE-SIGN-ON
W1 – User contributed content
W2 – Mashups,
W4 – Diversity of client software,
W5 - Complexity
V2: CROSS SITE SCRIPTING
(XSS)
V2.1 INSUFFICIENT LIMITS ON USER INPUT W1 – User contributed content
V3: CROSS SITE REQUEST
FORGERY (CSRF)
V3.1 CREDENTIAL SHARING BETWEEN GADGETS
V3.2 CSRF USING AJAX REQUESTS
V3.3 LENGTHY SESSIONS
W5 - Complexity & Asynchronous Operation
W2 – Mashups,
W4 – Diversity of client software
V4: PHISHING V4.1 PHONY WIDGETS
V4.2 PHONY CONTENT USED FOR PHISHING
V4.3 XSS EXPLOITED FOR PHISHING
W2 – Mashups,
W4 – Diversity of client software
W1 – User Contributed Content
V5:INFORMATION LEAKAGE V5.1 SENSITIVE INFORMATION POSTED TO WEB 2.0 SITES
V5.2 INFORMATION AGGREGATION IN SOCIAL NETWORKS
V5.3 EASY RETRIEVAL OF INFORMATION THROUGH WEB
SERVICES
W1 – User contributed content
W3 – Consumer and enterprise worlds
convergence)
W4 – Mashups & Web Services
V6: INJECTION FLAWS V6.1 XML INJECTION
V6.2 XPATH INJECTION
V6.3 JSON INJECTION
W4 – Mashups & Web Services,
W5: Complexity & Asynchronous Operation
V7:INFORMATION
INTEGRITY
V7.1 AUTHENTICATED USERS PUBLISH FRAUDULENT
INFORMATION
W1 – User contributed content
V8:INSUFFICIENT ANTI-
AUTOMATION
V8.1 WEB SPAM
V8.2 AUTOMATIC OPENING OF USER ACCOUNTS
V8.3 UNFAIR ADVANTAGE ON SITE
W1 – User contributed content
W2 – Mashup & Web Services
Source www.secure-enterprise2.0.org
22. OWASP
Web 2.0 Security Engineering Essential Steps
1. Document Security Standards For Web 2.0
Document Web 2.0 technology security requirements (e.g.
AJAX, FLASH) and enforce them at the beginning of the SDLC
2. Conduct Application Threat Modeling during design
Examine the architecture of Web 2.0 application and all
tiers for secure design of authentication-session management,
authorizations, input validation, error handling-logging
3. Perform Secure Code Reviews On Web 2.0
Components/Frameworks
Assure source code adherence to security coding
standards
Identify security bugs in both client (e.g. Widgets, AJAX) as
well as servers (e.g. Web services, SOA)
4. Security test Web 2.0 components
Security test cases for AJAX and Web Services, use the
OWASP test guide test cases
5. Assess the whole Web. 2.0 applications for vulnerabilities
Conduct final vulnerability assessment on whole Web 2.0
application (e.g. test for OWASP T10, WASC, SANS-25
vulnerabilities)
23. OWASP
Security Touch Points For Web 2.0 using
AGILE SDLC
STEP 5: Final
Web 2.0
Vulnerability
Assessment
Security
Sprint
Reviews
STEP 4: Security
Tests For Web
2.0 Components
1. Iteration Planning
Meeting
2. Begin Sprint #
Requirements Iteration
#
3. SPRINT Initiation,
Design Discussion
4. Review Use Cases
and Storyboard
5. Build & Deploy
Prototype
6. Demo Prototype &
Gather FeedBack
7. Incorporate F/B &
Continue Development
(iter #N)
8. Incremental
Integrated System
Tests
9. User Acceptance
Testing (No Iteraction)
10. Release
STEP 3: Secure
Code Reviews @
End of Each
Sprint
STEP 1:
Incorporate
Web.20
Security
Requirements
STEP 2: Secure
Architecture
Reviews/Threat
Modeling
24. OWASP
Secure Architecting AJAX In Web 2.0
Applications
Client side
business
logic/state
Backends
Servces
accessible from
untrusted callers
without server
side security
enforcements
ESB can only
be called by
trusted
internal
systems
AJAX
endpoint
call
backend
directly
Secure
Communications
Authentication &
session
Management,
Access Controls
Input validations
Error
Handling/Logging
AJAX call
associated
with active
sessions/
server side
26. OWASP
“TOP 10” Secure Coding Requirements for AJAX
1. Validate data on the server side for all data entry points and
URLs of AJAX calls for code injection vulnerabilities such as
Javascript injection, JSON injection, DOM injection, XML injection.
Use JSON.parse to parse objects before calling eval() if used
2. Make sure business logic is enforced on the server not by
client side logic ! using server parameters
3. Validate a well formatted XML against allowed specification of
values at server side
4. Enforce authentication before any XMLHTTPRequest (XHR)
session.
5. Enforce authorization checks on data accessed through XHR
6. Add token to the URL and verify at server side for CSRF
vulnerabilities via forging of dynamic script tags.
7. Do not store or cache sensitive data on the client such as
passwords, sessionIDs, client javascript, Flash local shared object
and Mozilla’s DOM storage
8. Avoid using dynamic <script> tags since there is no opportunity
for data validation before execution
9. Always use POST method to send request as default
10. Do not use javascript alert() for error handling
30. OWASP
Potential Web. 2.0 Attack Vectors And Targets
XML, JSON Injections
JS Injection XSS, Malware
Broken Auth and Session Mgmt
DOM XSS
CSRF
Phishing, Drive by Download
Information Disclosure & Integrity
Information Disclosure, DDOS
XPATH & SQL injection
31. OWASP
Web 2.0 Application Risk Framework
Threat
Agents
Misuses and
Attack Vectors
Security
Weaknesses
Security Controls/
Countermeasures
Technical
Impacts
Business
Impacts
Web 2.0
Users,
Customers/
Employees
User shares
private/confidential
information, agents post
confidential information
Inherent weaknesses in
controlling user
contributed content in
social networks, blogs,
IMs, private emails
Web 2.0 Social Networking
Security Policies, Compliance,
Monitoring, filtering,
archiving, approval workflow
for social site posts
Loss of sensitive/
confidential data
Reputation loss.
Unlawful
compliance fines
Malicious
Users,
Fraudsters
Victim is targeted by
phishing, download of
phony widgets, clicking
on malicious POSTS
Social Engineering, Web
2.0 Vulnerabilities: XSS
Consumer Education, Data
Filtering, escape all un-
trusted data based on HTML
content
Execute JS on
client, install
malware
Fraud, financial
losses,
reputation
loss/defacements
Malicious
Users,
Fraudsters
Attacker sends malicious
data to the application’s
interfaces
Web 2.0 Input Validation
Vulnerabilities: XPATH
injection, XML injection,
JSON injection
Filtering, parameterized API,
ESAPI filtering APIs, white-list
validations
Loss of data, data
alteration, denial
of service/access
Public disclosure
of XSS-
Reputation
damage
Malicious
Users,
Fraudsters
Attacker uses leaks or
flaws in the
authentication or session
management functions
Web 2.0 Broken Auth and
Session Mgmt
Vulnerabilities
Follow Security Requirements
For Secure Password Policies,
Implement Locking, Disable
“Auto-logons”
Unauthorized
access to data,
functions
Loss of CIA, legal
and financial
implications
Fraudsters Attacker creates forged
HTTP requests and tricks
a victim into submitting
them
We 2.0 Cross Site Request
Forgery Vulnerabilities
Include the unique token in a
hidden field.
Can change data
and functions on
behalf of the user
Loss of CIA,
fraud, denial of
access
Automated
Scripts/
Spam Bots
Application post links,
create accounts, game
the application
Insufficient Anti-
Automation
Include CAPTCHA, ESAPI
intrusion detection APIs
Can overflow
process with
spam,
Enumerations
Business
Disruptions/losse
s, reputational
damage
32. OWASP
Web 2.0 Business App Example: Twitter
Company’s Customer Support offers help through twitter’s help
account, Bank Of America Example
33. OWASP
Managing Risks of Company’s Twitter
Twitter Application Security Vulnerabilities
Landing page for selecting twitter might be vulnerable to
web 2.0 vulnerabilities
Countermeasure: Require a scan of web 2.0 vulnerabilities
of the landing page hosting the link to twitter
Use of AJAX might introduce new source code
vulnerabilities
Countermeasure: Validate existence of filtering for
sanitization of malicious characters for XSS, XPATH, XML
injection and mitigation of CSRF, sufficient anti-automation
controls
Countermeasure: Validate compliance of source code with
AJAX secure coding standards
34. OWASP
Managing Risks of Company’s Twitter
Twitter Information Security And Compliance Risks
Customers can disclose confidential information by micro
blogging to twitter’s company account
Countermeasure : Ask the user not to enter anything
sensitive such as PII, SSN ACC# but his phone number
Company is not liable for user’s content posted to third
party twitter and for twitter vulnerabilities
Countermeasure : Once the customer selects to go to
twitter he will be presented a speed bump with notice of
release of liability to user and to twitter
Content shared between enterprise customer support
representatives (twitter agents) can leak customer’s
confidential information such as PII, ACC#
Countermeasure : use a content enterprise social filtering
and monitoring tool, agents moderate the content that is
posted on twitter
36. OWASP
Thanks for listening, further references
Ajax and Other "Rich" Interface Technologies
http://www.owasp.org/index.php/Ajax_and_Other_%22Rich%22_Int
erface_Technologies
Vulnerability Scanners for Flash Components
http://www.owasp.org/index.php/Category:OWASP_Flash_Security_
Project
Web Application Vulnerability Scanners
http://samate.nist.gov/index.php/Web_Application_Vulnerability_Sca
nners.html
Facebook Outs Hacker Krillos
http://threatpost.com/en_us/blogs/facebook-outs-hacker-kirllos-
051310?utm_source=Recent+Articles&utm_medium=Left+Sidebar+
Topics&utm_campaign=Web+Application+Security
36
37. OWASP
Further references con’t
Facebook Now Trending As Phishing Target
http://threatpost.com/en_us/blogs/facebook-now-trending-
phishing-target-
051310?utm_source=Recent+Articles&utm_medium=Left+Sideba
r+Topics&utm_campaign=Web+Application+Security
Botnet Herders Can Command Via Twitter
http://threatpost.com/en_us/blogs/botnet-herders-can-now-
command-twitter-
051310?utm_source=Recent+Articles&utm_medium=Left+Sideba
r+Topics&utm_campaign=Web+Application+Security
OWASP TOP 10 Risks
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Pro
ject
Guide to Twitter Compliance
http://insights.socialware.com/
37
38. OWASP
Further references con’t
Web 2.0 Top 10 Web 2.0 Attack Vectors
http://www.net-security.org/article.php?id=949&p=4
Defending against the worst web based application
vulnerabilities of 2010
http://www.slideshare.net/shreeraj/web-attacks-top-threats-2010
Security Concerns Hinder Adoption of Web 2.0 and Social
Networking in Business
http://investor.mcafee.com/releasedetail.cfm?ReleaseID=511103
Web 2.0 a Top Security Threat in 2010, Survey Finds
http://pr.webroot.com/threat-research/ent/web-2-
security-survey-170210.html
38