Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
What are you on about?
flickr.com/photos/jurvetson
flickr.com/photos/meg
flickr.com/photos/muehlinghaus
flickr.com/photos/purpleslog
flickr.com/photos/pixelfrenzy
flickr.com/photos/kogakure
flickr.com/photos/elfsternberg
flickr.com/photos/a_mason
flickr.com/photos/rzrxtion
flickr.com/photos/bahkubean
flickr.com/photos/kevinsteele
flickr.com/photos/helfyland
flickr.com/photos/meg
flickr.com/photos/fbouly
<ul><li>Economy Dropped </li></ul><ul><li>The Dark Knight came out </li></ul><ul><li>Heath Ledger died </li></ul><ul><li>O...
One out of 11 minutes is spent Social networking
“ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending Mar...
flickr.com/photos/alancleaver
 
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
flickr.com/photos/sebastiagiralt
flickr.com/photos/herry
flickr.com/photos/23905174@N00
<ul><li>3,800,000 </li></ul>
<ul><li>4,400,000 </li></ul>
<ul><li>$3,500,000,000 </li></ul>
<ul><li>“ 18 to 24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twic...
flickr.com/photos/hmvh
flickr.com/photos/negatyf
<ul><li>Grabbing your cookies </li></ul><ul><li>Grabbing your history </li></ul><ul><li>Discover your internal NAT’ed IP <...
(Ab)use case - example
<ul><li>“ The attack works by including a link or script in a page that accesses a site to which the user is known (or sup...
<ul><li><img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” /> </li></ul>
flickr.com/photos/8363028@N08
(Ab)use case - example
Internet Management Interface (HTTPS) Admin
Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
Internet Management Interface (HTTPS) 2. Browse the Net Admin
Internet Management Interface (HTTPS) 3. Check mail Admin
Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.as...
Internet Management Interface (HTTPS) 5. No more SAN. Admin
<ul><li>Time Magazine’s Top 100 </li></ul><ul><li>Twitter </li></ul><ul><li>ADSL Routers </li></ul>
flickr.com/photos/soloflight
Recommendations <ul><li>Don’t make changes upon receipt of GET requests, only POST </li></ul><ul><li>Synchroniser Token Pa...
flickr.com/photos/tambako
flickr.com/photos/delhaye
flickr.com/photos/sarflondondunc
http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
 
 
flickr.com/photos/fabiogis50
flickr.com/photos/markop
www.owasp.org
flickr.com/photos/st3f4n
flickr.com/photos/kolya
 
<ul><li>International Not-for-profit </li></ul><ul><li>Open participation </li></ul><ul><li>130+ Chapters (incl. Perth!) <...
 
 
 
 
 
 
<ul><li>Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for ev...
<ul><li>There is a set of security control interfaces.  They define for example types of parameters that are passed to typ...
<ul><li>There is a reference implementation for each security control.  The logic is not organisation‐specific and the log...
<ul><li>There are optionally your own implementations for each security control.  There may be application logic contained...
<ul><li>Authentication </li></ul><ul><li>Access Control </li></ul><ul><li>Input Validation </li></ul><ul><li>Output encodi...
 
Authenticator interface <ul><li>Public interface Authenticator { </li></ul><ul><li>User login(HttpServlerRequest request, ...
AccessController Interface <ul><li>Public interface AccessController { </li></ul><ul><li>boolean isAuthorizedForURL(string...
HTTPUtilities Interface <ul><li>Public interface HTTPUtilities { </li></ul><ul><li>String addCSRFToken(string href); </li>...
flickr.com/photos/st3f4n
flickr.com/photos/onkel_wart
flickr.com/photos/sophistechate
flickr.com/photos/dalbera
<ul><li>“ With great power comes great responsibility” </li></ul>
Upcoming SlideShare
Loading in …5
×

Barcamp Perth 4.0 Web Security

4,343 views

Published on

Published in: Technology
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❤❤❤ http://bit.ly/39sFWPG ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❶❶❶ http://bit.ly/39sFWPG ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • How long does it take for VigRX Plus to start working? ♥♥♥ https://bit.ly/30G1ZO1
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • If you just broke up with your Ex, you have to follow these steps to get him back or risk ruining your chances. ■■■ http://ow.ly/mOLD301xGxr
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Barcamp Perth 4.0 Web Security

  1. “ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
  2. Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
  3. What are you on about?
  4. flickr.com/photos/jurvetson
  5. flickr.com/photos/meg
  6. flickr.com/photos/muehlinghaus
  7. flickr.com/photos/purpleslog
  8. flickr.com/photos/pixelfrenzy
  9. flickr.com/photos/kogakure
  10. flickr.com/photos/elfsternberg
  11. flickr.com/photos/a_mason
  12. flickr.com/photos/rzrxtion
  13. flickr.com/photos/bahkubean
  14. flickr.com/photos/kevinsteele
  15. flickr.com/photos/helfyland
  16. flickr.com/photos/meg
  17. flickr.com/photos/fbouly
  18. <ul><li>Economy Dropped </li></ul><ul><li>The Dark Knight came out </li></ul><ul><li>Heath Ledger died </li></ul><ul><li>Obama was elected </li></ul>
  19. One out of 11 minutes is spent Social networking
  20. “ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending March 13.”
  21. flickr.com/photos/alancleaver
  22.  
  23. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
  24. flickr.com/photos/sebastiagiralt
  25. flickr.com/photos/herry
  26. flickr.com/photos/23905174@N00
  27. <ul><li>3,800,000 </li></ul>
  28. <ul><li>4,400,000 </li></ul>
  29. <ul><li>$3,500,000,000 </li></ul>
  30. <ul><li>“ 18 to 24 year Olds are slowest to detect fraud. Millennials (consumers aged 18 to 24 yeear old) take nearly twice as many days to detect fraud, compared to other age groups..” </li></ul>Javelin Strategy & Research 2010 Identity Fraud Survey Report
  31. flickr.com/photos/hmvh
  32. flickr.com/photos/negatyf
  33. <ul><li>Grabbing your cookies </li></ul><ul><li>Grabbing your history </li></ul><ul><li>Discover your internal NAT’ed IP </li></ul><ul><li>Port scan behind the firewall </li></ul><ul><li>Exploit Intranet web-enabled devices </li></ul>
  34. (Ab)use case - example
  35. <ul><li>“ The attack works by including a link or script in a page that accesses a site to which the user is known (or supposed) to have been authenticated.” </li></ul>
  36. <ul><li><img src=“http://bank.example/withdraw?account=bob&amount=100000&for=mallory” /> </li></ul>
  37. flickr.com/photos/8363028@N08
  38. (Ab)use case - example
  39. Internet Management Interface (HTTPS) Admin
  40. Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
  41. Internet Management Interface (HTTPS) 2. Browse the Net Admin
  42. Internet Management Interface (HTTPS) 3. Check mail Admin
  43. Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
  44. Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
  45. Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.aspx?t=now” /> GET /Admin/Shutdown.aspx?t=now HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Admin
  46. Internet Management Interface (HTTPS) 5. No more SAN. Admin
  47. <ul><li>Time Magazine’s Top 100 </li></ul><ul><li>Twitter </li></ul><ul><li>ADSL Routers </li></ul>
  48. flickr.com/photos/soloflight
  49. Recommendations <ul><li>Don’t make changes upon receipt of GET requests, only POST </li></ul><ul><li>Synchroniser Token Pattern </li></ul><ul><ul><li><form action=“/action.php” method=“post”> </li></ul></ul><ul><ul><li><input type=“hidden” name=“CSRFToken” value=“OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTViMGYwMGEwOA==“ /> </li></ul></ul>
  50. flickr.com/photos/tambako
  51. flickr.com/photos/delhaye
  52. flickr.com/photos/sarflondondunc
  53. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
  54.  
  55.  
  56. flickr.com/photos/fabiogis50
  57. flickr.com/photos/markop
  58. www.owasp.org
  59. flickr.com/photos/st3f4n
  60. flickr.com/photos/kolya
  61.  
  62. <ul><li>International Not-for-profit </li></ul><ul><li>Open participation </li></ul><ul><li>130+ Chapters (incl. Perth!) </li></ul><ul><li>Open source tools </li></ul><ul><li>Open source collaborative projects </li></ul>
  63.  
  64.  
  65.  
  66.  
  67.  
  68.  
  69. <ul><li>Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. </li></ul>
  70. <ul><li>There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls. </li></ul>
  71. <ul><li>There is a reference implementation for each security control. The logic is not organisation‐specific and the logic is not application‐specific. </li></ul><ul><li>An example: string‐based input validation. </li></ul>
  72. <ul><li>There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organisation. </li></ul><ul><li>An example: enterprise authentication. </li></ul>
  73. <ul><li>Authentication </li></ul><ul><li>Access Control </li></ul><ul><li>Input Validation </li></ul><ul><li>Output encoding/escaping </li></ul><ul><li>Cryptography </li></ul><ul><li>Error handling and logging </li></ul><ul><li>Communication security </li></ul><ul><li>HTTP security </li></ul><ul><li>Security configuration </li></ul>
  74.  
  75. Authenticator interface <ul><li>Public interface Authenticator { </li></ul><ul><li>User login(HttpServlerRequest request, HttpServletResponse response) throws AuthenticationException; </li></ul><ul><li>User getUser(long accountId); </li></ul><ul><li>} </li></ul>
  76. AccessController Interface <ul><li>Public interface AccessController { </li></ul><ul><li>boolean isAuthorizedForURL(string url); </li></ul><ul><li>} </li></ul>
  77. HTTPUtilities Interface <ul><li>Public interface HTTPUtilities { </li></ul><ul><li>String addCSRFToken(string href); </li></ul><ul><li>void verifyCSRFToken(HttpServletRequest request) throws IntrusionException; </li></ul><ul><li>} </li></ul>
  78. flickr.com/photos/st3f4n
  79. flickr.com/photos/onkel_wart
  80. flickr.com/photos/sophistechate
  81. flickr.com/photos/dalbera
  82. <ul><li>“ With great power comes great responsibility” </li></ul>

×