A presentation on Web Vulnerabilities, especially around Social Engineering & Manipulation, with examples. I presented this talk at ThoughtWorks Pune office, to help raise awareness on how unsuspecting people can be tricked into giving up information, and bypassing strong security measures easily. Some topics covered include Phishing, Spear Phishing, Fake Login screens, Social Engineering, Panopticlick based user identification, Cookies, CSRF, and some good practices for developers to keep in mind.

1. Web Vulnerabilities
Being Aware of Risks and Mitigation options
Gurpreet Luthra
@_zenx_

3. Please enter your google credentials to access the
photo album.

4. Phishing

5. Simple Google Search

6. A
n
o
t
h
e
r
E
x
a
m
p
l
e
-
-
-
G
y
m
M

8. Spear Phishing

9. Strong
Security

10. Social Engineering
The clever manipulation of the natural
human tendency to trust.

11. Social Engineering
• Phishing
• Spear Phishing
• Vishing
• Baiting
• Tailgaiting

12. PROTECT

13. PROTECT
SSL / Digital Certificates
Personal Image or Message [Verified by Visa]
RSA / 2-Step Auth
OTP (ICICI or Facebook)
Log Referral Websites
Safe Browsing API (Google)
https://developers.google.com/safe-browsing/
Phishing Detection Plugin

14. Social Engineering
“A typical system will reject log-ins continually,
ensuring the victim enters PINs or passwords
multiple times, often disclosing several different
passwords!”
http://en.wikipedia.org/wiki/Social_engineering_(security)

15. Cookies

17. Gmail Cookies
ThoughtWorks Cookies

20. Cross Site Request Forgery (CSRF)
<img src="http://my-email.com/logout">
<img
src="http://facebook.com/add_friend?uid=2345adbehd3332a23">
<img src=“http://intranet/report-
app/mail?r=1&m=attacker@gmail.com” width=“1” height=“1”
border=“0”/>

21. Cross Site Request Forgery (CSRF)
<body onload="document.getElementById('frm').submit()">
<form id="frm" action="http://my-mail.com/logout"
method="post">
<input name="Log Me Out" value="Log Me Out" />
</form>
</body>
On website of http://www.attacker.com:

22. PROTECT
Check Referer
GET should not change
state or have side
effects
User auth for transactions +
Captcha
Double submit cookies +
CSRF Token
Separate Browser

23. Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) was among the twenty most-
exploited security vulnerabilities of 2007, along with Cross-Site Scripting
(XSS) and SQL Injection.
Also mentioned in the
OWASP Top 10 Vulnerabilities of 2010.

24. OWASP Top 10
• Injection (SQL, LDAP, etc)
• Cross Site Scripting (XSS)
• Broken Auth and Session Mgmt
• Insecure Direct Object Reference
• Cross Site Request Forgery (CSRF)
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL access
• Insufficient Transport Layer
Protection
• Un-validated Redirects and Forwards

25. The only truly secure system is one that
is powered off, cast in a block of concrete
and sealed in a lead-lined room with
armed guards.”
– Gene Spafford
Gurpreet Luthra
@_zenx_

26. SAM WORM --- MySpace
<div style="background:url('javascript:alert(1)')">
<div id="mycode" expr="alert('hah!')"
style="background:url('javascript:eval(document.
all.mycode.expr)')">
No Javascript Allowed
Out of Quotes

27. SAM WORM --- MySpace
<div id="mycode" expr="alert('hah!')"
style="background:url('java
script:eval(document.all.mycode.expr)')">
<div id="mycode" expr="alert('double quote: ' +
String.fromCharCode(34))"
style="background:url('java
script:eval(document.all.mycode.expr)')">
“Javascript” word
More Quotes needed

28. SAM WORM --- MySpace
alert(eval('document.body.inne' + 'rHTML'));
No Problem. First post a GET in an Ajax request,
and then take the hash and put it as part of a
POST.
http://namb.la/popular/tech.html
Words like innerHTML – not allowed
Unique Hash needed to POST

29. The only truly secure system is one that
is powered off, cast in a block of concrete
and sealed in a lead-lined room with
armed guards.”
– Gene Spafford
Gurpreet Luthra
@_zenx_