SlideShare a Scribd company logo

Why Web Security Matters!

P
Philippe De Ryck

A talk about the importance of Web security, tailored towards IT people of local municipalities. This was an invited talk at the information day on online security for the municipalities of Flemish Brabant (Belgium).

1 of 41
Download to read offline
Why Web Security Matters! Philippe De Ryck @PhilippeDeRyck
2 Years Ago in the “News” … 2 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
The Agenda for Today 3
About Me – Philippe De Ryck § Postdoctoral Researcher @ DistriNet (KU Leuven) § Focus on (client-side) Web security § Responsible for the Web Security training program § Dissemination of knowledge and research results § Target audiences include industry and researchers § Main author of the Primer on Client-Side Web Security § 7 attacker models, broken down in 10 capabilities § 13 attacks and their countermeasures § Overview of security best practices
Who Uses Portable Computers? 5
And Who Are You Most Afraid Of? 6
7 https://www.flickr.com/photos/jeepersmedia/16091161616/ http://deredactie.be/cm/vrtnieuws/binnenland/1.2163105 http://www.clickx.be/nieuws/134342/telenet-laat-je-surfen-via-de-modem-van-je-buren/ http://www.engadget.com/2010/07/01/starbucks-begins-offering-free-one-click-wifi-access-in-us-and-c/
What Happens when You Submit a Form 8 GET login.html 200 OK Html page Fill out form POST login.php username: Philippe password: ... 200 OK Html page Open site
Form Data on the Network 9
You May Think an Attacker Needs This … 10
While He Actually Only Needs This … 11
Network Sniffing Is Straightforward 12 § Sniffing can be a completely passive attack § Just listen to the traffic and analyze it later § HTTPS protects you against network-based attacks § It encrypts the traffic, so that nobody else can read it
So Problem Solved Then? 13
So Problem Solved Then? 14
So Problem Solved Then? 15 http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
There Is More besides Sniffing 16 Here you go Fake HTML page GET index.html 200 OK Html page Open site
There Is More besides Sniffing 17 § Instead of this … § You get this ...
SSL Stripping 18 § Instead of this … § You get this …
SSL Stripping 19 GET http://websec.be 200 OK Response page POST http://www.websec.be GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… websec.be
Preventing SSL Stripping with HSTS 20 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000;
HTTPS Is Really Worth the Effort 21 § An attacker on the network level can § Read all unprotected traffic, regardless of which application § Modify content from the browser to the server § Modify content form the server to the browser § Remove HTTPS if only used for specific pages or form submissions • This attack is called SSL Stripping and is very dangerous § Essentially take full control of the Web page § All of these attacks are invisible for most users § Even security experts fall for these if not paying attention § But a correct HTTPS deployment counters all of this …
How to Deploy HTTPS Correctly 22 § Configure your HTTPS with a valid certificate § These used to be expensive, but now there are free options § Let’s encrypt is backed by the EFF and offers free HTTPS certs § Deploy your entire website over HTTPS § Partial HTTPS still leaves you vulnerable against numerous attacks § The performance impact is very limited nowadays § Many major sites have switched to full HTTPS § Use state-of-the-art security techniques § HTTP Strict Transport Security (HSTS)
Back to the Video with Weird Usernames 23 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
Verifying a User’s Credentials 24 GET login.html 200 OK Html page POST login.php username: Philippe password: … 200 OK Html page Lookup User Check Password Load User Info
Communicating with a Database 25 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) ID username password email role 1 Administrator au28sj348aj2 administrator@gmail.com admin 2 Philippe secret philippe.deryck@cs.kuleuven.be Editor 3 … … … …
Communicating with a Database 26 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: philippe Password: secret SELECT * FROM users WHERE username = ‘philippe‘ AND password = ‘secret‘ Philippe – secret – philippe.deryck@cs.kuleuven.be – editor
Communicating with a Database 27 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: superman Password: kryptonite SELECT * FROM users WHERE username = ‘superman‘ AND password = ‘kryptonite‘
Communicating with a Database 28 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator Password: luckyguess SELECT * FROM users WHERE username = ‘administrator‘AND password = ‘luckyguess‘
Communicating with a Database 29 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’-- Administrator– au28sj348aj2– administrator@gmail.com – admin
Communicating with a Database 30 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: ‘ OR ‘1’ = ‘1’-- Password: SELECT * FROM users WHERE username = ‘‘ OR ‘1’ = ‘1’-- Administrator – au28sj348aj2– administrator@gmail.com – admin Philippe – secret – philippe.deryck@cs.kuleuven.be – editor …
SQL Injection Attacks Are Problematic 31 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
SQL Injection Attacks Are Problematic 32 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack § The problem stretches beyond login forms § Everywhere where data is used in a query, injection exists § The payload that is injected can be anything … UPDATE users SET email = ‘ + email + ‘ WHERE username = ‘ + username + ‘ Email: philippe@gmail.com Username: philippe’; DROP DATABASE website;-- UPDATE users SET email = ‘philippe@gmail.com‘ WHERE username = ‘philippe‘; DROP DATABASE website;--
SQL Injection Attacks Are Problematic 33 https://xkcd.com/327/
Prepared Statements against SQL Injection 34 § An injection attack is caused by confusing data and code § The database cannot distinguish the query and the data anymore § It does not know what the intended behavior of the query was § Prepared statements declare the query up front § Data is inserted separately, and will never be interpreted as code SELECT * FROM users WHERE username = ‘?‘ AND password = ‘?‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’--’AND password = ‘luckyguess’ SELECT * FROM users WHERE username = ‘administrator’--
Preventing SQL Injection Attacks 35 § The only correct defense is using Prepared Statements § Every language supports prepared statements § Is only a small effort to do this right in the application’s code § Escaping is often considered as an alternative defense § Dangerous characters (like ‘ and --) are replaced with safe versions § This approach is less effective and more error prone § Defending against SQL injection is technically not difficult § But it requires explicit action from the developer
A Quick Recap … 37 § Mobile computers and Wifi networks have changed the Web § Enabler of astonishing scenarios and applications § But security has become a lot more important as well § Network-level attacks have become much easier § Anyone sitting nearby can target a wireless user § Users are not necessarily the victim, but their employer may be § HTTPS offers protection against network-level attacks § Realize that it is important, and switch everything to HTTPS § Deploy it correctly, and keep your configuration up to date
A Quick Recap … 38 § SQL injection is a very old vulnerability § But it’s still very relevant today, as aptly illustrated in this talk § SQL injection can be very harmful § One of the major sources of data leaks § Can even give the attacker full control over your database § Preventing SQL injection is not difficult § Requires a bit of effort from the developer, but not very much § But you need to explicitly protect against these attacks
Managing Your Application’s Security 39 § You are not a security expert, and nobody expects you to be § Be knowledgeable about basic Web security concepts § Be involved in building the threat model of your application § Be aware of the contemporary Web security landscape § Find trustworthy people for the technical security aspects § Instruct your contractor to explicitly take security into account § Ask for evidence that they are knowledgeable about security § Verify the list of technical goals with a knowledgeable person
Managing Your Application’s Security 40 § Make security goals an explicit requirement § Contractors should deliver projects that follow current best practices § Plenty of resources available, for example from OWASP § Think about liability, and see if you can transfer it § Verify the security of your applications § Many companies can perform security reviews of your applications § Should be mandatory for critical systems • Passing a security review as a final requirement before delivering a project
Why Web Security Matters! Philippe De Ryck philippe.deryck@cs.kuleuven.be /in/philippederyck https://distrinet.cs.kuleuven.be/events/websecurity/ @PhilippeDeRyck

Recommended

SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
CODE BLUE
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 

Recommended

SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
CODE BLUE
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
MaulikLakhani
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
Andreas Taudte
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
xsist10
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017
Brian Vermeer
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Web Security
Web SecurityWeb Security
Web Security
Gerald Villorente
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 

More Related Content

What's hot

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
MaulikLakhani
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
Andreas Taudte
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
xsist10
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017
Brian Vermeer
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Web Security
Web SecurityWeb Security
Web Security
Gerald Villorente
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 

What's hot (20)

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Web Security
Web SecurityWeb Security
Web Security
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 

Similar to Why Web Security Matters!

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
Calibrate
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
mahchiev
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptx
AlmaOraevi
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing Solutions
SecuRing
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
LokeshK66
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
CNSHacking
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 

Similar to Why Web Security Matters! (20)

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptx
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing Solutions
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 

More from Philippe De Ryck

Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
Philippe De Ryck
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
Philippe De Ryck
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
Philippe De Ryck
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
Philippe De Ryck
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 

More from Philippe De Ryck (7)

Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 

Recently uploaded

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 

Recently uploaded (20)

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 

Why Web Security Matters!

  • 1. Why Web Security Matters! Philippe De Ryck @PhilippeDeRyck
  • 2. 2 Years Ago in the “News” … 2 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
  • 3. The Agenda for Today 3
  • 4. About Me – Philippe De Ryck § Postdoctoral Researcher @ DistriNet (KU Leuven) § Focus on (client-side) Web security § Responsible for the Web Security training program § Dissemination of knowledge and research results § Target audiences include industry and researchers § Main author of the Primer on Client-Side Web Security § 7 attacker models, broken down in 10 capabilities § 13 attacks and their countermeasures § Overview of security best practices
  • 5. Who Uses Portable Computers? 5
  • 6. And Who Are You Most Afraid Of? 6
  • 8. What Happens when You Submit a Form 8 GET login.html 200 OK Html page Fill out form POST login.php username: Philippe password: ... 200 OK Html page Open site
  • 9. Form Data on the Network 9
  • 10. You May Think an Attacker Needs This … 10
  • 11. While He Actually Only Needs This … 11
  • 12. Network Sniffing Is Straightforward 12 § Sniffing can be a completely passive attack § Just listen to the traffic and analyze it later § HTTPS protects you against network-based attacks § It encrypts the traffic, so that nobody else can read it
  • 13. So Problem Solved Then? 13
  • 14. So Problem Solved Then? 14
  • 15. So Problem Solved Then? 15 http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
  • 16. There Is More besides Sniffing 16 Here you go Fake HTML page GET index.html 200 OK Html page Open site
  • 17. There Is More besides Sniffing 17 § Instead of this … § You get this ...
  • 18. SSL Stripping 18 § Instead of this … § You get this …
  • 19. SSL Stripping 19 GET http://websec.be 200 OK Response page POST http://www.websec.be GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… websec.be
  • 20. Preventing SSL Stripping with HSTS 20 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000;
  • 21. HTTPS Is Really Worth the Effort 21 § An attacker on the network level can § Read all unprotected traffic, regardless of which application § Modify content from the browser to the server § Modify content form the server to the browser § Remove HTTPS if only used for specific pages or form submissions • This attack is called SSL Stripping and is very dangerous § Essentially take full control of the Web page § All of these attacks are invisible for most users § Even security experts fall for these if not paying attention § But a correct HTTPS deployment counters all of this …
  • 22. How to Deploy HTTPS Correctly 22 § Configure your HTTPS with a valid certificate § These used to be expensive, but now there are free options § Let’s encrypt is backed by the EFF and offers free HTTPS certs § Deploy your entire website over HTTPS § Partial HTTPS still leaves you vulnerable against numerous attacks § The performance impact is very limited nowadays § Many major sites have switched to full HTTPS § Use state-of-the-art security techniques § HTTP Strict Transport Security (HSTS)
  • 23. Back to the Video with Weird Usernames 23 http://nieuws.vtm.be/binnenland/60632-overheidssites-gehackt-2-minuten
  • 24. Verifying a User’s Credentials 24 GET login.html 200 OK Html page POST login.php username: Philippe password: … 200 OK Html page Lookup User Check Password Load User Info
  • 25. Communicating with a Database 25 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) ID username password email role 1 Administrator au28sj348aj2 administrator@gmail.com admin 2 Philippe secret philippe.deryck@cs.kuleuven.be Editor 3 … … … …
  • 26. Communicating with a Database 26 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: philippe Password: secret SELECT * FROM users WHERE username = ‘philippe‘ AND password = ‘secret‘ Philippe – secret – philippe.deryck@cs.kuleuven.be – editor
  • 27. Communicating with a Database 27 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: superman Password: kryptonite SELECT * FROM users WHERE username = ‘superman‘ AND password = ‘kryptonite‘
  • 28. Communicating with a Database 28 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator Password: luckyguess SELECT * FROM users WHERE username = ‘administrator‘AND password = ‘luckyguess‘
  • 29. Communicating with a Database 29 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’-- Administrator– au28sj348aj2– administrator@gmail.com – admin
  • 30. Communicating with a Database 30 § Application data is generally stored in a database § Most common technology is a relational database § Can be queried using SQL (Structured Query Language) § When a user logs in, the application verifies his credentials SELECT * FROM users WHERE username = ‘ + username + ‘ AND password = ‘ + password + ‘ Username: ‘ OR ‘1’ = ‘1’-- Password: SELECT * FROM users WHERE username = ‘‘ OR ‘1’ = ‘1’-- Administrator – au28sj348aj2– administrator@gmail.com – admin Philippe – secret – philippe.deryck@cs.kuleuven.be – editor …
  • 31. SQL Injection Attacks Are Problematic 31 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack https://blog.sucuri.net/2015/10/joomla-sql-injection-attacks-in-the-wild.html
  • 32. SQL Injection Attacks Are Problematic 32 § Injection problems are ranked #1 in the OWASP Top 10 § SQL injection a very common attack § The problem stretches beyond login forms § Everywhere where data is used in a query, injection exists § The payload that is injected can be anything … UPDATE users SET email = ‘ + email + ‘ WHERE username = ‘ + username + ‘ Email: philippe@gmail.com Username: philippe’; DROP DATABASE website;-- UPDATE users SET email = ‘philippe@gmail.com‘ WHERE username = ‘philippe‘; DROP DATABASE website;--
  • 33. SQL Injection Attacks Are Problematic 33 https://xkcd.com/327/
  • 34. Prepared Statements against SQL Injection 34 § An injection attack is caused by confusing data and code § The database cannot distinguish the query and the data anymore § It does not know what the intended behavior of the query was § Prepared statements declare the query up front § Data is inserted separately, and will never be interpreted as code SELECT * FROM users WHERE username = ‘?‘ AND password = ‘?‘ Username: administrator’-- Password: luckyguess SELECT * FROM users WHERE username = ‘administrator’--’AND password = ‘luckyguess’ SELECT * FROM users WHERE username = ‘administrator’--
  • 35. Preventing SQL Injection Attacks 35 § The only correct defense is using Prepared Statements § Every language supports prepared statements § Is only a small effort to do this right in the application’s code § Escaping is often considered as an alternative defense § Dangerous characters (like ‘ and --) are replaced with safe versions § This approach is less effective and more error prone § Defending against SQL injection is technically not difficult § But it requires explicit action from the developer
  • 36.
  • 37. A Quick Recap … 37 § Mobile computers and Wifi networks have changed the Web § Enabler of astonishing scenarios and applications § But security has become a lot more important as well § Network-level attacks have become much easier § Anyone sitting nearby can target a wireless user § Users are not necessarily the victim, but their employer may be § HTTPS offers protection against network-level attacks § Realize that it is important, and switch everything to HTTPS § Deploy it correctly, and keep your configuration up to date
  • 38. A Quick Recap … 38 § SQL injection is a very old vulnerability § But it’s still very relevant today, as aptly illustrated in this talk § SQL injection can be very harmful § One of the major sources of data leaks § Can even give the attacker full control over your database § Preventing SQL injection is not difficult § Requires a bit of effort from the developer, but not very much § But you need to explicitly protect against these attacks
  • 39. Managing Your Application’s Security 39 § You are not a security expert, and nobody expects you to be § Be knowledgeable about basic Web security concepts § Be involved in building the threat model of your application § Be aware of the contemporary Web security landscape § Find trustworthy people for the technical security aspects § Instruct your contractor to explicitly take security into account § Ask for evidence that they are knowledgeable about security § Verify the list of technical goals with a knowledgeable person
  • 40. Managing Your Application’s Security 40 § Make security goals an explicit requirement § Contractors should deliver projects that follow current best practices § Plenty of resources available, for example from OWASP § Think about liability, and see if you can transfer it § Verify the security of your applications § Many companies can perform security reviews of your applications § Should be mandatory for critical systems • Passing a security review as a final requirement before delivering a project
  • 41. Why Web Security Matters! Philippe De Ryck philippe.deryck@cs.kuleuven.be /in/philippederyck https://distrinet.cs.kuleuven.be/events/websecurity/ @PhilippeDeRyck