SlideShare a Scribd company logo

Web Application Security 101

Download as PPTX, PDF
Jannis Kirschner
Jannis Kirschner

Web Application Security Basics. - What's (Web) Application Security About - Practical Example covering OWASP Top 10 - Mitigation Strategies

Technology
1 of 19
Recap: WebSec 101 Jannis Kirschner
Why Security? src: https://www.veracode.com/blog/2016/08/top-4-reasons-why-application-security-should-be-your-focus
S-SDLC • Secure Software Development Lifecycle • Integrating security measures in every part of the SDLC
Threat Modeling
OWASP Top 10 • Open Web Application Standard Project • List of current threats • Sorted by likelihood + impact • Updated every few years • Translated to several languages
Security Can Be Split Into 3 Classes Technical Logical Configuration Issues A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure A4 XXE A5 Broken Access Control A6 Security Misconfiguration A7 XSS A9 Known Vulns A8 Insecure Deserialization A10 Insufficient Logging
Technical Vulnerabilities • Usually easiest to spot • Happens when data doesn’t get properly validated/escaped • When software can’t distinguish between data und logic context • Common examples are Injections, XXE, Buffer Overflows • Fixes usually involve validation
A1 Injection • Root Cause: When data input gets interpreted as code (sql, xml, ldap) • Impact: Depends on sql server config (from CRUD operations to RCE) • Fix: Prepared Statements, Stored Procedures, (Escaping) • Can be «blind» = no feedback from application (can be leaked by factors like time, different behaviour) 1) ‘ characters from input field get interpreted as sql query code 2) Query evaluates statement to true and returns all entries
A4 XXE • Root-Cause: Happens when external DTD’s/Stylesheets get resolved • Impact: Read arbitrary files & «portscan» (RCE with libs like php expect) • Fix: Disable parsing 1) Read file and save as DTD 2) Print content of «DTD»
A7 XSS • Root Cause: Browser interprets data as javascript code • Impact: Leak (non http-only) cookies, redirections... • Fix: Output escaping, CSP-Headers, NoScript • Multiple types: • 1: Reflected = Requires user interaction (eg. click on link) • 2: Stored = Affects all users because stored on server • 3: Dom-based = Never reaches server 1) User opens link, reflected js gets executed 2) User visits guestbook, stored js gets executed 3) User opens link, dom-based js gets executed 4) Because location.search gets text 5) And attr «rewrites» object
A8 Insecure Deserialization («Object Injection») • Root Cause: When serialized data (serialize, pickle, yaml) gets trusted/evaluated • Impact: From privilege escalation to rce • Fix: Validation 1) Input gets trusted, user becomes admin through setting flag clientside 2) User sends serialized object 3) Server deserializes data 4) Object gets interpreted as «inject» variable 5) Variable gets evaluated leading to RCE
Logical Vulnerabilities • Errors in application logic • Harder to identify • Examples are Access Control Issues, Race Conditions, Unexpected Behaviour • Fixes can range from validation to redesign of application
A2 Broken Authentication • Collection of issues connected to the authentication process • Examples are user pw’s not hashed, no session timeout, no rotating session id’s etc... • Fix: Application redesign, Implementation MFA
A5 Broken Access Control • Collection of issues connected to authorisation • Impact: Sensitive Data Exposure, Privilege Escalation • Fix: ACL’s and validation 1) Attacker could input arbitrary account name and view private information
Configuration Issues • Often easy to find by scanners • Can be caused when software is misconfigured • Examples are Path Traversal, Using Vulnerable Libraries, Unsufficient Logging, Open AWS S3 buckets etc... • Usually patched by editing configuration files
A3 Sensitive Data Exposure • Collection of issues regarding sensitive data • Examples are plaintext protocols, default crypto keys, public S3 buckets
A6 Security Misconfiguration • Collection of issues regarding various misconfigurations • Examples are unnecessary open ports, path traversal, default passwords, public error logs Admin:Admin
A9 Components with known vulnerabilities • Using libraries that contain known vulnerable code • Can be checked with: https://www.cvedetails.com/ • Case-Study: JS Event-Stream Library
A10 Insufficient Logging and Monitoring • When security issues only get detected after a breach or can’t be reconstructed due to missing logs • Logging/Monitoring has to be part of every step of the S-SDLC

Recommended

Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 

Recommended

Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printing
CHETAN THAKRE
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Amine SAIGHI
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 

More Related Content

What's hot

VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printing
CHETAN THAKRE
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Amine SAIGHI
 

What's hot (20)

VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Security testing
Security testingSecurity testing
Security testing
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printing
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 

Similar to Web Application Security 101

Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
n|u - The Open Security Community
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
siti829412
 

Similar to Web Application Security 101 (20)

Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp
Owasp Owasp
Owasp
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Web Application Security 101

  • 3. S-SDLC • Secure Software Development Lifecycle • Integrating security measures in every part of the SDLC
  • 5. OWASP Top 10 • Open Web Application Standard Project • List of current threats • Sorted by likelihood + impact • Updated every few years • Translated to several languages
  • 6. Security Can Be Split Into 3 Classes Technical Logical Configuration Issues A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure A4 XXE A5 Broken Access Control A6 Security Misconfiguration A7 XSS A9 Known Vulns A8 Insecure Deserialization A10 Insufficient Logging
  • 7. Technical Vulnerabilities • Usually easiest to spot • Happens when data doesn’t get properly validated/escaped • When software can’t distinguish between data und logic context • Common examples are Injections, XXE, Buffer Overflows • Fixes usually involve validation
  • 8. A1 Injection • Root Cause: When data input gets interpreted as code (sql, xml, ldap) • Impact: Depends on sql server config (from CRUD operations to RCE) • Fix: Prepared Statements, Stored Procedures, (Escaping) • Can be «blind» = no feedback from application (can be leaked by factors like time, different behaviour) 1) ‘ characters from input field get interpreted as sql query code 2) Query evaluates statement to true and returns all entries
  • 9. A4 XXE • Root-Cause: Happens when external DTD’s/Stylesheets get resolved • Impact: Read arbitrary files & «portscan» (RCE with libs like php expect) • Fix: Disable parsing 1) Read file and save as DTD 2) Print content of «DTD»
  • 10. A7 XSS • Root Cause: Browser interprets data as javascript code • Impact: Leak (non http-only) cookies, redirections... • Fix: Output escaping, CSP-Headers, NoScript • Multiple types: • 1: Reflected = Requires user interaction (eg. click on link) • 2: Stored = Affects all users because stored on server • 3: Dom-based = Never reaches server 1) User opens link, reflected js gets executed 2) User visits guestbook, stored js gets executed 3) User opens link, dom-based js gets executed 4) Because location.search gets text 5) And attr «rewrites» object
  • 11. A8 Insecure Deserialization («Object Injection») • Root Cause: When serialized data (serialize, pickle, yaml) gets trusted/evaluated • Impact: From privilege escalation to rce • Fix: Validation 1) Input gets trusted, user becomes admin through setting flag clientside 2) User sends serialized object 3) Server deserializes data 4) Object gets interpreted as «inject» variable 5) Variable gets evaluated leading to RCE
  • 12. Logical Vulnerabilities • Errors in application logic • Harder to identify • Examples are Access Control Issues, Race Conditions, Unexpected Behaviour • Fixes can range from validation to redesign of application
  • 13. A2 Broken Authentication • Collection of issues connected to the authentication process • Examples are user pw’s not hashed, no session timeout, no rotating session id’s etc... • Fix: Application redesign, Implementation MFA
  • 14. A5 Broken Access Control • Collection of issues connected to authorisation • Impact: Sensitive Data Exposure, Privilege Escalation • Fix: ACL’s and validation 1) Attacker could input arbitrary account name and view private information
  • 15. Configuration Issues • Often easy to find by scanners • Can be caused when software is misconfigured • Examples are Path Traversal, Using Vulnerable Libraries, Unsufficient Logging, Open AWS S3 buckets etc... • Usually patched by editing configuration files
  • 16. A3 Sensitive Data Exposure • Collection of issues regarding sensitive data • Examples are plaintext protocols, default crypto keys, public S3 buckets
  • 17. A6 Security Misconfiguration • Collection of issues regarding various misconfigurations • Examples are unnecessary open ports, path traversal, default passwords, public error logs Admin:Admin
  • 18. A9 Components with known vulnerabilities • Using libraries that contain known vulnerable code • Can be checked with: https://www.cvedetails.com/ • Case-Study: JS Event-Stream Library
  • 19. A10 Insufficient Logging and Monitoring • When security issues only get detected after a breach or can’t be reconstructed due to missing logs • Logging/Monitoring has to be part of every step of the S-SDLC