SlideShare a Scribd company logo
Web Vulnerabilities
Being Aware of Risks and Mitigation options
Gurpreet Luthra
@_zenx_
Please enter your google credentials to access the
photo album.
Phishing
Simple Google Search
A
n
o
t
h
e
r
E
x
a
m
p
l
e
-
-
-
G
y
m
M
Spear Phishing
Strong
Security
Social Engineering
The clever manipulation of the natural
human tendency to trust.
Social Engineering
• Phishing
• Spear Phishing
• Vishing
• Baiting
• Tailgaiting
PROTECT
PROTECT
SSL / Digital Certificates
Personal Image or Message [Verified by Visa]
RSA / 2-Step Auth
OTP (ICICI or Facebook)
Log Referral Websites
Safe Browsing API (Google)
https://developers.google.com/safe-browsing/
Phishing Detection Plugin
Social Engineering
“A typical system will reject log-ins continually,
ensuring the victim enters PINs or passwords
multiple times, often disclosing several different
passwords!”
http://en.wikipedia.org/wiki/Social_engineering_(security)
Cookies
Gmail Cookies
ThoughtWorks Cookies
Cross Site Request Forgery (CSRF)
<img src="http://my-email.com/logout">
<img
src="http://facebook.com/add_friend?uid=2345adbehd3332a23">
<img src=“http://intranet/report-
app/mail?r=1&m=attacker@gmail.com” width=“1” height=“1”
border=“0”/>
Cross Site Request Forgery (CSRF)
<body onload="document.getElementById('frm').submit()">
<form id="frm" action="http://my-mail.com/logout"
method="post">
<input name="Log Me Out" value="Log Me Out" />
</form>
</body>
On website of http://www.attacker.com:
PROTECT
Check Referer
GET should not change
state or have side
effects
User auth for transactions +
Captcha
Double submit cookies +
CSRF Token
Separate Browser
Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) was among the twenty most-
exploited security vulnerabilities of 2007, along with Cross-Site Scripting
(XSS) and SQL Injection.
Also mentioned in the
OWASP Top 10 Vulnerabilities of 2010.
OWASP Top 10
• Injection (SQL, LDAP, etc)
• Cross Site Scripting (XSS)
• Broken Auth and Session Mgmt
• Insecure Direct Object Reference
• Cross Site Request Forgery (CSRF)
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL access
• Insufficient Transport Layer
Protection
• Un-validated Redirects and Forwards
The only truly secure system is one that
is powered off, cast in a block of concrete
and sealed in a lead-lined room with
armed guards.”
– Gene Spafford
Gurpreet Luthra
@_zenx_
SAM WORM --- MySpace
<div style="background:url('javascript:alert(1)')">
<div id="mycode" expr="alert('hah!')"
style="background:url('javascript:eval(document.
all.mycode.expr)')">
No Javascript Allowed
Out of Quotes
SAM WORM --- MySpace
<div id="mycode" expr="alert('hah!')"
style="background:url('java
script:eval(document.all.mycode.expr)')">
<div id="mycode" expr="alert('double quote: ' +
String.fromCharCode(34))"
style="background:url('java
script:eval(document.all.mycode.expr)')">
“Javascript” word
More Quotes needed
SAM WORM --- MySpace
alert(eval('document.body.inne' + 'rHTML'));
No Problem. First post a GET in an Ajax request,
and then take the hash and put it as part of a
POST.
http://namb.la/popular/tech.html
Words like innerHTML – not allowed
Unique Hash needed to POST
The only truly secure system is one that
is powered off, cast in a block of concrete
and sealed in a lead-lined room with
armed guards.”
– Gene Spafford
Gurpreet Luthra
@_zenx_

More Related Content

What's hot

Web tools ppt
Web tools pptWeb tools ppt
Web tools ppt
Tamara Pia Agavi
 
SharePoint Authentication and Authorization
SharePoint Authentication and AuthorizationSharePoint Authentication and Authorization
SharePoint Authentication and Authorization
Dan Usher
 
SharePoint Authentication and Authorization
SharePoint Authentication and AuthorizationSharePoint Authentication and Authorization
SharePoint Authentication and Authorization
Scott Hoag
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격
선협 이
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
Alexander Benoit
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
Potato
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
WordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal MeetupWordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal Meetup
Veselin Nikolov
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Convincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting SeriouslyConvincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting Seriously
jpubal
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Jeremiah Grossman
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 

What's hot (16)

Web tools ppt
Web tools pptWeb tools ppt
Web tools ppt
 
SharePoint Authentication and Authorization
SharePoint Authentication and AuthorizationSharePoint Authentication and Authorization
SharePoint Authentication and Authorization
 
SharePoint Authentication and Authorization
SharePoint Authentication and AuthorizationSharePoint Authentication and Authorization
SharePoint Authentication and Authorization
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
WordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal MeetupWordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal Meetup
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Convincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting SeriouslyConvincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting Seriously
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 

Viewers also liked

Lessons from Deploying an EMR in Rural India
Lessons from Deploying an EMR in Rural IndiaLessons from Deploying an EMR in Rural India
Lessons from Deploying an EMR in Rural India
Gurpreet Luthra
 
Harnessing The Power of CDNs
Harnessing The Power of CDNsHarnessing The Power of CDNs
Harnessing The Power of CDNs
Gurpreet Luthra
 
Product management for open source software - Nandini Ravi and Gurpreet Luthra
Product management for open source software - Nandini Ravi and Gurpreet LuthraProduct management for open source software - Nandini Ravi and Gurpreet Luthra
Product management for open source software - Nandini Ravi and Gurpreet Luthra
baconfblr
 
Humanitarian Open Source Software
Humanitarian Open Source SoftwareHumanitarian Open Source Software
Humanitarian Open Source Software
Gurpreet Luthra
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
ONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersNullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Ajith Chandran
 
Multiple projects, different goals, one thing in common: the codebase! at Agi...
Multiple projects, different goals, one thing in common: the codebase! at Agi...Multiple projects, different goals, one thing in common: the codebase! at Agi...
Multiple projects, different goals, one thing in common: the codebase! at Agi...
Carlos Lopes
 
XP In the Real World
XP In the Real WorldXP In the Real World
XP In the Real World
Carlos Lopes
 
Cognitive Biases
Cognitive BiasesCognitive Biases
Cognitive Biases
Carlos Lopes
 
The .NET Platform - A Brief Overview
The .NET Platform - A Brief OverviewThe .NET Platform - A Brief Overview
The .NET Platform - A Brief Overview
Carlos Lopes
 
Refactoring Strategies: Beyond the Basics
Refactoring Strategies: Beyond the BasicsRefactoring Strategies: Beyond the Basics
Refactoring Strategies: Beyond the Basics
Danilo Sato
 
Application versioning
Application versioningApplication versioning
Application versioning
Ted Steinmann
 
Bahmni - an open source hospital system
Bahmni - an open source hospital systemBahmni - an open source hospital system
Bahmni - an open source hospital system
Gurpreet Luthra
 
Continuous Delivery Overview
Continuous Delivery OverviewContinuous Delivery Overview
Continuous Delivery Overview
Luca Minudel
 
Trunk Based Development Explored
Trunk Based Development ExploredTrunk Based Development Explored
Trunk Based Development Explored
Carlos Lopes
 
Trunk Based Development
Trunk Based DevelopmentTrunk Based Development
Trunk Based Development
Carlos Lopes
 
TDD and more than 9000 tries to sell it to a customer
TDD and more than 9000 tries to sell it to a customerTDD and more than 9000 tries to sell it to a customer
TDD and more than 9000 tries to sell it to a customer
Anuar Nurmakanov
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
jeyaselvir
 
How Continuous Delivery and Lean Management Make your DevOps Amazeballs
How Continuous Delivery and Lean Management Make your DevOps AmazeballsHow Continuous Delivery and Lean Management Make your DevOps Amazeballs
How Continuous Delivery and Lean Management Make your DevOps Amazeballs
Nicole Forsgren
 

Viewers also liked (20)

Lessons from Deploying an EMR in Rural India
Lessons from Deploying an EMR in Rural IndiaLessons from Deploying an EMR in Rural India
Lessons from Deploying an EMR in Rural India
 
Harnessing The Power of CDNs
Harnessing The Power of CDNsHarnessing The Power of CDNs
Harnessing The Power of CDNs
 
Product management for open source software - Nandini Ravi and Gurpreet Luthra
Product management for open source software - Nandini Ravi and Gurpreet LuthraProduct management for open source software - Nandini Ravi and Gurpreet Luthra
Product management for open source software - Nandini Ravi and Gurpreet Luthra
 
Humanitarian Open Source Software
Humanitarian Open Source SoftwareHumanitarian Open Source Software
Humanitarian Open Source Software
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
ONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web Applications
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team LoosersNullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
 
Multiple projects, different goals, one thing in common: the codebase! at Agi...
Multiple projects, different goals, one thing in common: the codebase! at Agi...Multiple projects, different goals, one thing in common: the codebase! at Agi...
Multiple projects, different goals, one thing in common: the codebase! at Agi...
 
XP In the Real World
XP In the Real WorldXP In the Real World
XP In the Real World
 
Cognitive Biases
Cognitive BiasesCognitive Biases
Cognitive Biases
 
The .NET Platform - A Brief Overview
The .NET Platform - A Brief OverviewThe .NET Platform - A Brief Overview
The .NET Platform - A Brief Overview
 
Refactoring Strategies: Beyond the Basics
Refactoring Strategies: Beyond the BasicsRefactoring Strategies: Beyond the Basics
Refactoring Strategies: Beyond the Basics
 
Application versioning
Application versioningApplication versioning
Application versioning
 
Bahmni - an open source hospital system
Bahmni - an open source hospital systemBahmni - an open source hospital system
Bahmni - an open source hospital system
 
Continuous Delivery Overview
Continuous Delivery OverviewContinuous Delivery Overview
Continuous Delivery Overview
 
Trunk Based Development Explored
Trunk Based Development ExploredTrunk Based Development Explored
Trunk Based Development Explored
 
Trunk Based Development
Trunk Based DevelopmentTrunk Based Development
Trunk Based Development
 
TDD and more than 9000 tries to sell it to a customer
TDD and more than 9000 tries to sell it to a customerTDD and more than 9000 tries to sell it to a customer
TDD and more than 9000 tries to sell it to a customer
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
How Continuous Delivery and Lean Management Make your DevOps Amazeballs
How Continuous Delivery and Lean Management Make your DevOps AmazeballsHow Continuous Delivery and Lean Management Make your DevOps Amazeballs
How Continuous Delivery and Lean Management Make your DevOps Amazeballs
 

Similar to Web Vulnerabilities - Building Basic Security Awareness

Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
Sasha Goldshtein
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
Soumyasanto Sen
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
InnoTech
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Romanian Cyber Conference
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
SQL Injection & Cross Site Scripting, by Stefano Santomauro
SQL Injection & Cross Site Scripting, by Stefano Santomauro SQL Injection & Cross Site Scripting, by Stefano Santomauro
SQL Injection & Cross Site Scripting, by Stefano Santomauro
Codemotion
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?
Sucuri
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 

Similar to Web Vulnerabilities - Building Basic Security Awareness (20)

Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
SQL Injection & Cross Site Scripting, by Stefano Santomauro
SQL Injection & Cross Site Scripting, by Stefano Santomauro SQL Injection & Cross Site Scripting, by Stefano Santomauro
SQL Injection & Cross Site Scripting, by Stefano Santomauro
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 

Recently uploaded

Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
sandeepmenon62
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceSecure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
dhavalvaghelanectarb
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Vince Scalabrino
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
jrodriguezq3110
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 

Recently uploaded (20)

Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceSecure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
 
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
bgiolcb
bgiolcbbgiolcb
bgiolcb
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 

Web Vulnerabilities - Building Basic Security Awareness

  • 1. Web Vulnerabilities Being Aware of Risks and Mitigation options Gurpreet Luthra @_zenx_
  • 2.
  • 3. Please enter your google credentials to access the photo album.
  • 7.
  • 10. Social Engineering The clever manipulation of the natural human tendency to trust.
  • 11. Social Engineering • Phishing • Spear Phishing • Vishing • Baiting • Tailgaiting
  • 13. PROTECT SSL / Digital Certificates Personal Image or Message [Verified by Visa] RSA / 2-Step Auth OTP (ICICI or Facebook) Log Referral Websites Safe Browsing API (Google) https://developers.google.com/safe-browsing/ Phishing Detection Plugin
  • 14. Social Engineering “A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords!” http://en.wikipedia.org/wiki/Social_engineering_(security)
  • 16.
  • 18.
  • 19.
  • 20. Cross Site Request Forgery (CSRF) <img src="http://my-email.com/logout"> <img src="http://facebook.com/add_friend?uid=2345adbehd3332a23"> <img src=“http://intranet/report- app/mail?r=1&m=attacker@gmail.com” width=“1” height=“1” border=“0”/>
  • 21. Cross Site Request Forgery (CSRF) <body onload="document.getElementById('frm').submit()"> <form id="frm" action="http://my-mail.com/logout" method="post"> <input name="Log Me Out" value="Log Me Out" /> </form> </body> On website of http://www.attacker.com:
  • 22. PROTECT Check Referer GET should not change state or have side effects User auth for transactions + Captcha Double submit cookies + CSRF Token Separate Browser
  • 23. Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) was among the twenty most- exploited security vulnerabilities of 2007, along with Cross-Site Scripting (XSS) and SQL Injection. Also mentioned in the OWASP Top 10 Vulnerabilities of 2010.
  • 24. OWASP Top 10 • Injection (SQL, LDAP, etc) • Cross Site Scripting (XSS) • Broken Auth and Session Mgmt • Insecure Direct Object Reference • Cross Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL access • Insufficient Transport Layer Protection • Un-validated Redirects and Forwards
  • 25. The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” – Gene Spafford Gurpreet Luthra @_zenx_
  • 26. SAM WORM --- MySpace <div style="background:url('javascript:alert(1)')"> <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document. all.mycode.expr)')"> No Javascript Allowed Out of Quotes
  • 27. SAM WORM --- MySpace <div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')"> <div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java script:eval(document.all.mycode.expr)')"> “Javascript” word More Quotes needed
  • 28. SAM WORM --- MySpace alert(eval('document.body.inne' + 'rHTML')); No Problem. First post a GET in an Ajax request, and then take the hash and put it as part of a POST. http://namb.la/popular/tech.html Words like innerHTML – not allowed Unique Hash needed to POST
  • 29. The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” – Gene Spafford Gurpreet Luthra @_zenx_

Editor's Notes

  1. A fake google screen created to get google credentials (by giving the promise of showing a photo album). True story of how my wife got tricked! : (
  2. A cheque gives you access to Name, Bank, Account Number, Branch, and behind the cheque usually the phone number of the account holder. This image was taken from the internet right now.
  3. A fake email impersonating ICICI bank, using just name, account number, mobile of the person to make it appear genuine (and a logo of the bank copied from internet). Unsuspecting customer might give away valuable personal information.
  4. Specific targeting of individuals.
  5. Weakest link in the chain.
  6. A smart way to detect if you are accessing a fake website, is to enter invalid credentials first time. But WARNING. See note above!! : (