Web application security
•
1 like•658 views
95% of attacks target web servers and applications through SQL injection and other injection attacks, which were used to install malware over 60% of the time. Solutions include secure coding training, code reviews, log monitoring, and awareness of new attacks.
Report
Share
Report
Share
Recommended
Top 10 web application security risks akash mahajan
Looking at the Top 10 web application security risks according to OWASP Top 2010
Layered API Security: What Hackers Don't Want You To Know
What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success.
YOU MUST REGISTER HERE TO GET THE CONFERENCE LINK: https://bigcompass.typeform.com/to/emg9DO
Ping Identity and Azure have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect.
This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with Azure. We will look at some common monitoring capabilities on the Azure API and what a security violation would look like.
Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks.
From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a Azure API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.
How secure is your website?
If your website is not secure you run the risk of losing sensitive information.
Data-driven API Security
Standard API security approaches and best practices that harden your API security can ensure safe and secure operations. However, these approaches may not be enough to protect your backend from sophisticated data extrusion through API key attacks, low and slow data scrapping that blend with your legitimate traffic. Enter data driven security. This session at I Love APIs 2014 covered how your API data can help you gain insights to traffic anomalies and security/privacy abuse. And how you can mitigate risks using data driven API security controls.
OWASP API Security TOP 10 - 2019
Los 10 riesgos más imporatantes para la seguridad de las APIs en 2019
The Quiet Rise of Account Takeover
Account takeover has started to become a huge issue in 2016, but it's actually been the number one attack vector for web applications for the past three years.
Learn how this common attack works, why it's so popular with attackers, and how you can defend against it.
Recommended
Top 10 web application security risks akash mahajan
Looking at the Top 10 web application security risks according to OWASP Top 2010
Layered API Security: What Hackers Don't Want You To Know
What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success.
YOU MUST REGISTER HERE TO GET THE CONFERENCE LINK: https://bigcompass.typeform.com/to/emg9DO
Ping Identity and Azure have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect.
This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with Azure. We will look at some common monitoring capabilities on the Azure API and what a security violation would look like.
Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks.
From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a Azure API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.
How secure is your website?
If your website is not secure you run the risk of losing sensitive information.
Data-driven API Security
Standard API security approaches and best practices that harden your API security can ensure safe and secure operations. However, these approaches may not be enough to protect your backend from sophisticated data extrusion through API key attacks, low and slow data scrapping that blend with your legitimate traffic. Enter data driven security. This session at I Love APIs 2014 covered how your API data can help you gain insights to traffic anomalies and security/privacy abuse. And how you can mitigate risks using data driven API security controls.
OWASP API Security TOP 10 - 2019
Los 10 riesgos más imporatantes para la seguridad de las APIs en 2019
The Quiet Rise of Account Takeover
Account takeover has started to become a huge issue in 2016, but it's actually been the number one attack vector for web applications for the past three years.
Learn how this common attack works, why it's so popular with attackers, and how you can defend against it.
Applying API Security at Scale
By Isabelle Mauny, Chief Product Officer & Co-Founder at 42Crunch
With the crazy rate at which APIs are developed, enterprises face a delicate situation to secure them. Data validation, input sanitization, security testing are tasks that require a lot of attention and time. When done very late in the API lifecycle, results are usually disastrous. API Security must be fully part of the API lifecycle, as transparent as possible, preventing developers from introducing vulnerabilities early on. A bug discovered in production can cost up to 30 times more effort to solve. Security vulnerabilities are no different.
Data-driven Security: Protect APIs from Adaptive Threats
Apigee's security architect discusses data-driven security and previews Apigee's new bot detection product Apigee Sense at I Love APIs 2015
Managing Identities in the World of APIs
Security architects from Thompson Reuters, SVB, and APigee discuss Managing Identities in the World of APIs at I Love APIs 2015
Security as an Enabler for the Digital World - CISO Perspective
A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity.
Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services.
Join to learn about:
- The role of the security officer in helping IT and business meet objectives
- How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs.
- Best practices that work for an API centric enterprise
Download podcast: http://bit.ly/1B6h3TR
Open APIs: Security for Mobile and the Cloud
A look at what’s driving new Internet-facing organizations to open up information through APIs and the implications for application security.
Windows Advance Threats - BSides Amman 2019
Learn how to hack Windows machines and reveal the password of the domain admin by hacking into the memory and Windows Services. This is Level 400 content with a lot of demos and it covers many security technologies like machine learning, post-breach defensive and pre-preach defensive controls.
I presented this session in the first BSides Security conference in Amman-Jordan and I am sharing the slides as requested by the audience.
I am also going to post the full video on my Youtube Channel: http://youtube.com/ammarhasayen , so, don't forget to subscribe.
I would like to hear your feedback on my session, so please connect with me on twitter @ammarhasayen and let me know what do you think.
About me: http://ahasayen.com
Blog: http://blog.ahasayen.com
Social Media (Twiiter, LinkedIn, Instagram): @ammarhasayen
Windows Advanced Threat and Defensive Technique
The Dev, Sec and Ops of API Security - NordicAPIs
The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect.
Downside: The more APIs, the higher the security risk!
API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs.
Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language.
In this presentation you will learn:
Security risks at each stage of the API lifecycle, and how to mitigate them.
How to implement an end-to-end automated API security model that development, security and operations teams will love.
How to think positive! Why a positive security model works.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
OWASP API Security Top 10 - API World
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Verizon DMS' Bot Mitigation from Paul Hobbs
Bot Mitigation, help protect log in pages, API's and applications from Automation, Account takeover and fraud.
Become a Security Ninja
Insecure software undermines our infrastructure and puts our organizations at risk. Whether you’re a new developer, a designer who is beginning to experiment with programming, or a seasoned developer looking for a refresher, join us as we discuss why attacks happen, go over the most common vulnerabilities and techniques you can use to code defensively. This hands-on workshop will feature real-world hacking exercises that correspond to each of the Open Web Application Security Project (OWASP) top 10 vulnerabilities, helping to hone your skills as a security ninja!
CSS 17: NYC - Stories from the SOC
Presentation from Alert Logic Cyber Security Evangelist Paul Fletcher at the Cloud Security Summit in NYC on April 26, 2017.
WEBINAR: Positive Security for APIs: What it is and why you need it!
WATCH WEBINAR: https://youtu.be/SywcVCvgXP0
Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or o¬utput validation. Here are a few illustrative real-life examples on this:
• Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated.
• Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email.
• CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value.
• Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication.
To protect APIs from such issues, an API-native, positive security approach is required: we create a whitelist of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above?
What you’ll learn:
• Why WAFs fail in protecting APIs
• How a whitelist protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples)
• How to build a proper whitelist for API security
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Presentation from OWASP Serbia from 7.4.2015. Topics: OWASP Mobile project, OWASP Mobile Top 10 risks, OWASP Seraphimdroid
Secure Modern Workplace With Microsoft 365 Threat Protection
Join me as I walk you through alll what Microsoft 365 has to offer to protect your business and organization. I am going to cover every security feature and how it fits in the big picture. Whether you are on-premises organization or migrating to the cloud, there is something for you to look at.
Follow me on twitter @ammarhasayen and connect on Linkedined https://www.linkedin.com/in/ammarhasayen
Here is the full blog post: https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced-threat-protection/
OWASP Top 10 - 2017
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
CIS13: APIs, Identity, and Securing the Enterprise
Bradford Stephens, Developer Evangelist, Ping Identity
APIs are the glue of the web, and Enterprise APIs are driving innovation inside and out of the cloud. Now that information is being shared more freely, how can we secure those APIs? Data silos are falling across the enterprise and needs for interoperability are rising -- but how do you manage access in a de-siloed world? This talk will mix best practices and real-world examples for examining how to secure your APIs.
API Abuse - The Anatomy of An Attack
Gartner’s statement that “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” is often quoted, but what does an API abuse attack actually look and feel like?
At last year’s Platform Summit, I described 3 different types of API abuse at a high level, summarizing who abuses and why.
The year I will go into anatomical and forensic detail on one specific API abuse attack based on our real experiences, explaining what it looked and felt like through the exploration and probing phase, into the setup and test stage, and finally into the at scale exploitation.
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer.
This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.
The real incident of stealing a droid app+data
This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure.
Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.
More Related Content
What's hot
Applying API Security at Scale
By Isabelle Mauny, Chief Product Officer & Co-Founder at 42Crunch
With the crazy rate at which APIs are developed, enterprises face a delicate situation to secure them. Data validation, input sanitization, security testing are tasks that require a lot of attention and time. When done very late in the API lifecycle, results are usually disastrous. API Security must be fully part of the API lifecycle, as transparent as possible, preventing developers from introducing vulnerabilities early on. A bug discovered in production can cost up to 30 times more effort to solve. Security vulnerabilities are no different.
Data-driven Security: Protect APIs from Adaptive Threats
Apigee's security architect discusses data-driven security and previews Apigee's new bot detection product Apigee Sense at I Love APIs 2015
Managing Identities in the World of APIs
Security architects from Thompson Reuters, SVB, and APigee discuss Managing Identities in the World of APIs at I Love APIs 2015
Security as an Enabler for the Digital World - CISO Perspective
A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity.
Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services.
Join to learn about:
- The role of the security officer in helping IT and business meet objectives
- How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs.
- Best practices that work for an API centric enterprise
Download podcast: http://bit.ly/1B6h3TR
Open APIs: Security for Mobile and the Cloud
A look at what’s driving new Internet-facing organizations to open up information through APIs and the implications for application security.
Windows Advance Threats - BSides Amman 2019
Learn how to hack Windows machines and reveal the password of the domain admin by hacking into the memory and Windows Services. This is Level 400 content with a lot of demos and it covers many security technologies like machine learning, post-breach defensive and pre-preach defensive controls.
I presented this session in the first BSides Security conference in Amman-Jordan and I am sharing the slides as requested by the audience.
I am also going to post the full video on my Youtube Channel: http://youtube.com/ammarhasayen , so, don't forget to subscribe.
I would like to hear your feedback on my session, so please connect with me on twitter @ammarhasayen and let me know what do you think.
About me: http://ahasayen.com
Blog: http://blog.ahasayen.com
Social Media (Twiiter, LinkedIn, Instagram): @ammarhasayen
Windows Advanced Threat and Defensive Technique
The Dev, Sec and Ops of API Security - NordicAPIs
The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect.
Downside: The more APIs, the higher the security risk!
API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs.
Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language.
In this presentation you will learn:
Security risks at each stage of the API lifecycle, and how to mitigate them.
How to implement an end-to-end automated API security model that development, security and operations teams will love.
How to think positive! Why a positive security model works.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
OWASP API Security Top 10 - API World
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Verizon DMS' Bot Mitigation from Paul Hobbs
Bot Mitigation, help protect log in pages, API's and applications from Automation, Account takeover and fraud.
Become a Security Ninja
Insecure software undermines our infrastructure and puts our organizations at risk. Whether you’re a new developer, a designer who is beginning to experiment with programming, or a seasoned developer looking for a refresher, join us as we discuss why attacks happen, go over the most common vulnerabilities and techniques you can use to code defensively. This hands-on workshop will feature real-world hacking exercises that correspond to each of the Open Web Application Security Project (OWASP) top 10 vulnerabilities, helping to hone your skills as a security ninja!
CSS 17: NYC - Stories from the SOC
Presentation from Alert Logic Cyber Security Evangelist Paul Fletcher at the Cloud Security Summit in NYC on April 26, 2017.
WEBINAR: Positive Security for APIs: What it is and why you need it!
WATCH WEBINAR: https://youtu.be/SywcVCvgXP0
Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or o¬utput validation. Here are a few illustrative real-life examples on this:
• Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated.
• Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email.
• CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value.
• Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication.
To protect APIs from such issues, an API-native, positive security approach is required: we create a whitelist of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above?
What you’ll learn:
• Why WAFs fail in protecting APIs
• How a whitelist protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples)
• How to build a proper whitelist for API security
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Presentation from OWASP Serbia from 7.4.2015. Topics: OWASP Mobile project, OWASP Mobile Top 10 risks, OWASP Seraphimdroid
Secure Modern Workplace With Microsoft 365 Threat Protection
Join me as I walk you through alll what Microsoft 365 has to offer to protect your business and organization. I am going to cover every security feature and how it fits in the big picture. Whether you are on-premises organization or migrating to the cloud, there is something for you to look at.
Follow me on twitter @ammarhasayen and connect on Linkedined https://www.linkedin.com/in/ammarhasayen
Here is the full blog post: https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced-threat-protection/
OWASP Top 10 - 2017
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
CIS13: APIs, Identity, and Securing the Enterprise
Bradford Stephens, Developer Evangelist, Ping Identity
APIs are the glue of the web, and Enterprise APIs are driving innovation inside and out of the cloud. Now that information is being shared more freely, how can we secure those APIs? Data silos are falling across the enterprise and needs for interoperability are rising -- but how do you manage access in a de-siloed world? This talk will mix best practices and real-world examples for examining how to secure your APIs.
API Abuse - The Anatomy of An Attack
Gartner’s statement that “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” is often quoted, but what does an API abuse attack actually look and feel like?
At last year’s Platform Summit, I described 3 different types of API abuse at a high level, summarizing who abuses and why.
The year I will go into anatomical and forensic detail on one specific API abuse attack based on our real experiences, explaining what it looked and felt like through the exploration and probing phase, into the setup and test stage, and finally into the at scale exploitation.
What's hot (20)
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Secure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat Protection
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
Viewers also liked
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer.
This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.
The real incident of stealing a droid app+data
This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure.
Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE SLIDES - For Rootconf 2014
How do you setup SSH as a TOR hidden service and run a SSH honey pot on port 22
Believe It Or Not SSL Attacks
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology.
This was given at null Bangalore April Meeting.
Venom vulnerability Overview and a basic demo
A simple presentation and demo about VENOM
1. What is it?
2. Why is it a big deal?
3. What does it impact?
4. How does it do that?
5. A demo
Viewers also liked (7)
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Similar to Web application security
Security risks awareness
Helps to create awareness about prevailing security issues one could face when adapting internet business and modern technology
OWASP Top 10 Vulnerabilities 2017- AppTrana
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
CEH Domain 5.pdf
Considering that most people have used mobile applications like PUB-G, Instagram, and WhatsApp. I will give you an example of a web application that is also a mobile app.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
Domain 5 of the CEH: Web Application Hacking
Considering that most people have used mobile applications like PUB-G, Instagram, and WhatsApp. I will give you an example of a web application that is also a mobile app. Now assume you’ve lost your mobile or your mobile is switched off, and you are willing to scroll the insta feed. What will you do? Login to your account through Google Chrome. Right? And that’s it, as you can use your Instagram by using a web browser. It is called a web application. A few famous examples of web applications are Facebook, MakeMyTrip, Flipboard, and the 2048 Game.
https://www.infosectrain.com/blog/domain-5-of-the-ceh-web-application-hacking/
5 step plan to securing your APIs
Learn some common API attack vectors and a five-step plan that you can implement to help protect your APIs
Web Application Firewall (WAF) DAST/SAST combination
In this presentation we analyze benefits of applied innovative WAF that have callback connection with DAST security tools and allow very quickly detect security defects in critical SaaS or e-commerce application
Domain 5 of the CEH Web Application Hacking.pptx
We will discuss the fifth domain of CEH, which is ‘web application hacking.’
Get Ready for Web Application Security Testing
Presented at Testing Professional Network in Auckland, New Zealand at 16 Feb 2010.
Java Application Development Vulnerabilities
The developers of our Java web application development company are well-versed in the programming language. With years of experience and knowledge, they are aware of all the Java security issues and the fixes that fortify security. If you want to create an application that is safe and robust, contact us at any time.
Developing Secure Applications and Defending Against Common Attacks
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Top Application Security Trends of 2012
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
Top Application Security Threats
The following slides present an
application security checklist — a look at how your company can counter the
impact of seven top application security threats.
A DevOps Guide to Web Application Security
You’ve seen the headlines—"[Well-Known Company] Falls Victim To Hackers".
These data breaches result in the theft of millions of names, passwords, credit card numbers, and other personal data. Imagine if such a breach lead to the theft of your application's data. . .
If multi-national companies with dedicated security teams and expansive budgets aren’t immune to the impact of hackers, how can you adequately prepare yourself to defeat this threat?
This presentation will explore the web application threat landscape. It will zero in on some of the most common attacks wreaking havoc on the internet, teaching you how to defend your online assets from them.
This presentation will discuss:
• The major security breaches of 2014
• Web application threats and common attack types
• How to defend against today’s common attacks
• Automated tools to help simplify website security
Owasp top 10 web application security hazards - Part 1
Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
Nowadays SaaS has become trendy and utilized as a common software model in the world but the SaaS security concerns are also growing with it. The experts in the market are saying that its buzz not going to down very soon.
How Can I Reduce The Risk Of A Cyber-Attack?
A professional guide to reducing the risks of a cyber attack on your business. A professionally written article that would be suitable for a technical IT blog.
Similar to Web application security (20)
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combination
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computing
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
More from Akash Mahajan
On Writing Well - A talk given at WinjaBlogs Session
5 simple rules for writing I use for blogging and writing for an online audience.
Based on my personal experience.
App sec in the time of docker containers
A look at how application security needs to evolve to keep up with applications that are containerised. Delivered first at c0c0n 2016, the audience got a ready checklist to go with the talk.
Security in the cloud Workshop HSTC 2014
A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
I haz your mouse clicks and key strokes
This technically light talk+demo will show you how and what are User Interface Redressing Attacks.
Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.
TL;DR Cool demo and simple to understand explaination of ClickJacking
Php security
A different look at what PHP developers should be looking at. Not in terms of security but in terms of the data flow of the web application. The concepts of security are tied into that itself.
Secure passwords-theory-and-practice
A look at the risks of not encrypting passwords in your web applications. Also a basic introduction to hashing passwords with salts.
Startups Security
Why should startups take care about security or answer to the question who will hack my server.
More from Akash Mahajan (8)
On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs Session
Recently uploaded
UiPath Test Automation using UiPath Test Suite series, part 4
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Removing Uninteresting Bytes in Software Fuzzing
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Quantum Computing: Current Landscape and the Future Role of APIs
The current state of quantum computing and the role of APIs to take it mainstream.
Elevating Tactical DDD Patterns Through Object Calisthenics
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA Connect
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Recently uploaded (20)
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Web application security
- 1. Web Application Security Firewalls will not be able to protect you AkashMahajan – Chapter Lead for null Bangalore
- 2. What should keep you up at night 95% of attacks are against “Web Servers and Web Applications” aka Websites The top 3 verticals compromised were Financial Services, Hospitality and Retail. More than 60% of attacks were caused by external agents. Primary attack vector was SQL Injection and was used to install customized malware. Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
- 3. Web App Attacks SQL Injection Attacks Number plate to foil an automatic license plate scanner! An attack which allows SQL to be executed as part of the input.
- 4. Web App Attacks Bobby Tables!
- 5. Web App Attacks XSS was used to get root on a apache.org server in April 2010 A popular shopping website used to sell only books and now sell other stuff as well. That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
- 6. Other Critical Flaws/Attacks Cross Site Request Forgery Attacks the user of the application Clickjacking Facebook Like attack SecurityMis-configurations Default passwords in DSL routers Insecure Cryptographic Storage Apache Attack Tiny URLs Employees trust and click on anything!
- 7. Solutions/Mitigations Training inSecure Coding for Developers Code Reviews by competent security folks Regular mining of web server logs Application Security Practice Awareness about new attacks Setup a red team in the company
- 8. About null Null – Indian Open Security Community null.co.in Registered non-profit society 5 active chapters in India We conduct monthly meetings, regular awareness camps and trainings. More than 1000+ security professionals and enthusiasts in the group. Null Keeda Vulnerability Database http://keeda.nullcon.net