SlideShare a Scribd company logo

Web Application Security

Siarhei Barysiuk
Siarhei Barysiuk

Day 7 of 7-days "JavaScript and Rich User Interfaces" training for my colleagues. It covers Cross Site Scripting, SQL injection, XSRF, etc.

Technology
1 of 42
Download to read offline
Web Application Security Siarhei Barysiuk s.barysiuk@sam-solutions.net
Our roadmap
Introduction: What will we cover today? 1. Five top vulnerabilities by OWASP 2. How to find them 3. How to prevent them
OWASP The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
Breach Security Network
OWASP: Top Ten 2007 1. Cross Site Scripting 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery 6. Information Leakage And Improper Error Handling 7. Broken Authentication And Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure To Restrict URL Access
OWASP: Top Ten 2004 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication And Session Management 4. Cross Site Scripting 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial Of Service 10. Insecure Configuration Management
OWASP: 2004 & 2007 1. Cross Site Scripting 4. Cross Site Scripting 2. Injection Flaws 6. Injection Flaws 3. Insecure Remote File IncludeNEW 4. Insecure Direct Object Reference 2. Broken Access Control (split) 5. Cross Site Request Forgery NEW 6. Information Leakage And Improper Error Handling 7. Improper Error Handling 7. Broken Authentication And Session Management 3. Broken Authentication And Session Management 8. Insecure Cryptographic Storage 8. Insecure Storage 9. Insecure Communications 10. Failure To Restrict URL Access 2. Broken Access Control (split) 1. Unvalidated Input 5. Buffer Overflows 9. Denial Of Service 10. Insecure Configuration Management
BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking? 1% 3% 1% 1% 3% 3% 8% 42% 15% 23% Stealing Sensitive Information Defacement Planting Malware Unknown Deceit Blackmail Link Spam Worm Phishing Information Warfare
BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking? A5 A2 A3 18% 20% A4 8% A6 17% 10% A7 12% 15% A1 A10, 2004 SQL Injection Unintentional Information Disclosure Known Vulnerability Cross Site Scripting (XSS) Insufficient Access Control Credential/Session Prediction Other
Cross Site Scripting
Cross Site Scripting: Overview Cross Site Scripting (XSS) flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content. <script type=quot;text/javascriptquot;> alert(quot;You've been hacked!quot;); </script> <script type=quot;text/javascriptquot;> alert(quot;You've been hacked!quot;); server </script> &lt;script type=quot;text/javascriptquot;&gt; &lt;script type=quot;text/javascriptquot;&gt; alert(quot;You've been hacked!quot;); alert(quot;You've been hacked!quot;); &lt;/script&gt; &lt;/script&gt;
Cross Site Scripting: How it works. Kate Nick Posting malicious message Bad Guy
Cross Site Scripting: Demo Demo
Cross Site Scripting: Protection 1. Input validation Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. 2. Strong output encoding Ensure that all user‐supplied data is HTML entity encoded before rendering in HTML, taking the approach to encode all characters other than a very limited subset.
Questions?
Injection Flaws
Injection Flaws: Overview Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user‐supplied data is sent to an interpreter as part of a command or query. The attacker’s data tricks the interpreter into executing unintended commands.
SQL Injection: How it works. ?uname=kate&pwd=123abc SELECT pwd FROM USERS WHERE uname IS '$uname'; SELECT pwd FROM USERS WHERE uname IS 'kate'; Kate server DB server ?uname=’;%20DROP%20TABLE%20USERS;&pwd=123abc SELECT pwd FROM USERS WHERE uname IS '$uname'; SELECT pwd FROM USERS WHERE uname IS ''; Bad Guy DROP TABLE USERS; server DB server
SQL Injection: Demo Demo
SQL Injection
SQL Injection: Protection 1. Enforce least privilege 2. Avoid detailed error messages 3. Do not send dynamic queries 4. Be careful when using stored procedures 5. Do not use dynamic query interface 6. Do not use simple escaping functions
Questions?
Insecure Remote File Include
Insecure Remote File Include: Overview Malicious file execution vulnerabilities are found in many applications. Developers will often directly use or concatenate potentially hostile input with file or stream functions, or improperly trust input files. include $_REQUEST['filename’];
Insecure Remote File Include: How it works. <select name=quot;languagequot;> <option value=quot;frquot;></option> </select> require_once ($_REQUEST[quot;languagequot;].quot;lang.phpquot;); <select name=quot;languagequot;> <option value=quot;frquot;>French</option> <option value=quot;../../../../etc/passwd%00quot;>Show your passwords</ option> </select>
Insecure Remote File Include: Protection In general, a well‐written application will not use user‐supplied input in any filename for any server‐based resource(such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server.
Questions?
Insecure Direct Object Reference
Insecure Direct Object Reference: Overview A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Unless an access control check is in place, an attacker can manipulate those references to access other objects without authorization.
Insecure Direct Object Reference: How it works. Unauthorized user has access to any cart. int cartID = Integer.parseInt( request.getParameter( quot;cartIDquot; ) ); String query = quot;SELECT * FROM table WHERE cartID=quot; + cartID; Preventing: int cartID = Integer.parseInt( request.getParameter( quot;cartIDquot; ) ); User user = (User)request.getSession().getAttribute( quot;userquot; ); String query = quot;SELECT * FROM table WHERE cartID=quot; + cartID + quot; AND userID=quot; + user.getID();
Insecure Direct Object Reference: Protection 1. Avoid exposing your private object references to users whenever possible. 2. Verify authorization to all referenced objects
Questions?
Cross Site Request Forgery
Cross Site Request Forgery: Overview A CSRF attack forces a logged‐on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim, to the benefit of the attacker.
Cross Site Request Forgery: How it works. Peter bank.com /login.html /auth Cookie: sessionid:1234567 /viewbalance Cookie: sessionid:1234567 Your balance is 50 000 $
Cross Site Request Forgery: How it works. Peter bank.com evil.com /login.html /auth Cookie: sessionid:1234567 /index.html ... <img src=quot;http://bank.com/paybill?addr=...&amount=1000quot;/> ... /paybill?addr=...&amount=1000 Cookie: sessionid:1234567 OK. Payment sent!
Questions?
Others
Others 6. Information Leakage And Improper Error Handling 7. Broken Authentication And Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure To Restrict URL Access
Questions?

Recommended

04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 

Recommended

04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-auditsJohann-Peter Hartmann
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apacheguestd9aa5
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
Spatial Data with SQL Server Reporting Services
Spatial Data with SQL Server Reporting ServicesSpatial Data with SQL Server Reporting Services
Spatial Data with SQL Server Reporting ServicesMihail Mateev
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 

More Related Content

What's hot

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apacheguestd9aa5
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 

What's hot (20)

Do it-yourself-audits
Do it-yourself-auditsDo it-yourself-audits
Do it-yourself-audits
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apache
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 

Viewers also liked

Spatial Data with SQL Server Reporting Services
Spatial Data with SQL Server Reporting ServicesSpatial Data with SQL Server Reporting Services
Spatial Data with SQL Server Reporting ServicesMihail Mateev
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge Pereira
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Coastal Pet Products, Inc.
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detectionVikrant Arya
 
Data leakage detection Complete Seminar
Data leakage detection Complete SeminarData leakage detection Complete Seminar
Data leakage detection Complete SeminarSumit Thakur
 
Apps for Librarians: Digital Literacy with Mobile Apps
Apps for Librarians: Digital Literacy with Mobile AppsApps for Librarians: Digital Literacy with Mobile Apps
Apps for Librarians: Digital Literacy with Mobile AppsNicole Hennig
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive Content17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive ContentHenneke Duistermaat
 

Viewers also liked (11)

Spatial Data with SQL Server Reporting Services
Spatial Data with SQL Server Reporting ServicesSpatial Data with SQL Server Reporting Services
Spatial Data with SQL Server Reporting Services
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
 
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
 
Data leakage detection Complete Seminar
Data leakage detection Complete SeminarData leakage detection Complete Seminar
Data leakage detection Complete Seminar
 
Apps for Librarians: Digital Literacy with Mobile Apps
Apps for Librarians: Digital Literacy with Mobile AppsApps for Librarians: Digital Literacy with Mobile Apps
Apps for Librarians: Digital Literacy with Mobile Apps
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Quality assurance
Quality assuranceQuality assurance
Quality assurance
 
QUALITY ASSURANCE
QUALITY ASSURANCEQUALITY ASSURANCE
QUALITY ASSURANCE
 
17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive Content17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive Content
 

Similar to Web Application Security

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworkslastrand
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsnooralmousa
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 

Similar to Web Application Security (20)

Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 

More from Siarhei Barysiuk

Pure css skinning with menu box and menu
Pure css skinning with menu box and menuPure css skinning with menu box and menu
Pure css skinning with menu box and menuSiarhei Barysiuk
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax ApplicationsSiarhei Barysiuk
 
JavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best PracticesJavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best PracticesSiarhei Barysiuk
 
JavaScript Libraries Overview
JavaScript Libraries OverviewJavaScript Libraries Overview
JavaScript Libraries OverviewSiarhei Barysiuk
 
JavaScript Basics And DOM Manipulation
JavaScript Basics And DOM ManipulationJavaScript Basics And DOM Manipulation
JavaScript Basics And DOM ManipulationSiarhei Barysiuk
 

More from Siarhei Barysiuk (6)

Pure css skinning with menu box and menu
Pure css skinning with menu box and menuPure css skinning with menu box and menu
Pure css skinning with menu box and menu
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
 
JavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best PracticesJavaScript and UI Architecture Best Practices
JavaScript and UI Architecture Best Practices
 
JavaScript Libraries Overview
JavaScript Libraries OverviewJavaScript Libraries Overview
JavaScript Libraries Overview
 
AJAX Transport Layer
AJAX Transport LayerAJAX Transport Layer
AJAX Transport Layer
 
JavaScript Basics And DOM Manipulation
JavaScript Basics And DOM ManipulationJavaScript Basics And DOM Manipulation
JavaScript Basics And DOM Manipulation
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Web Application Security

  • 1.
  • 2. Web Application Security Siarhei Barysiuk s.barysiuk@sam-solutions.net
  • 4. Introduction: What will we cover today? 1. Five top vulnerabilities by OWASP 2. How to find them 3. How to prevent them
  • 5. OWASP The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
  • 7. OWASP: Top Ten 2007 1. Cross Site Scripting 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery 6. Information Leakage And Improper Error Handling 7. Broken Authentication And Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure To Restrict URL Access
  • 8. OWASP: Top Ten 2004 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication And Session Management 4. Cross Site Scripting 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial Of Service 10. Insecure Configuration Management
  • 9. OWASP: 2004 & 2007 1. Cross Site Scripting 4. Cross Site Scripting 2. Injection Flaws 6. Injection Flaws 3. Insecure Remote File IncludeNEW 4. Insecure Direct Object Reference 2. Broken Access Control (split) 5. Cross Site Request Forgery NEW 6. Information Leakage And Improper Error Handling 7. Improper Error Handling 7. Broken Authentication And Session Management 3. Broken Authentication And Session Management 8. Insecure Cryptographic Storage 8. Insecure Storage 9. Insecure Communications 10. Failure To Restrict URL Access 2. Broken Access Control (split) 1. Unvalidated Input 5. Buffer Overflows 9. Denial Of Service 10. Insecure Configuration Management
  • 10. BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking? 1% 3% 1% 1% 3% 3% 8% 42% 15% 23% Stealing Sensitive Information Defacement Planting Malware Unknown Deceit Blackmail Link Spam Worm Phishing Information Warfare
  • 11. BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking? A5 A2 A3 18% 20% A4 8% A6 17% 10% A7 12% 15% A1 A10, 2004 SQL Injection Unintentional Information Disclosure Known Vulnerability Cross Site Scripting (XSS) Insufficient Access Control Credential/Session Prediction Other
  • 13. Cross Site Scripting: Overview Cross Site Scripting (XSS) flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content. <script type=quot;text/javascriptquot;> alert(quot;You've been hacked!quot;); </script> <script type=quot;text/javascriptquot;> alert(quot;You've been hacked!quot;); server </script> &lt;script type=quot;text/javascriptquot;&gt; &lt;script type=quot;text/javascriptquot;&gt; alert(quot;You've been hacked!quot;); alert(quot;You've been hacked!quot;); &lt;/script&gt; &lt;/script&gt;
  • 14. Cross Site Scripting: How it works. Kate Nick Posting malicious message Bad Guy
  • 16. Cross Site Scripting: Protection 1. Input validation Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. 2. Strong output encoding Ensure that all user‐supplied data is HTML entity encoded before rendering in HTML, taking the approach to encode all characters other than a very limited subset.
  • 19. Injection Flaws: Overview Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user‐supplied data is sent to an interpreter as part of a command or query. The attacker’s data tricks the interpreter into executing unintended commands.
  • 20. SQL Injection: How it works. ?uname=kate&pwd=123abc SELECT pwd FROM USERS WHERE uname IS '$uname'; SELECT pwd FROM USERS WHERE uname IS 'kate'; Kate server DB server ?uname=’;%20DROP%20TABLE%20USERS;&pwd=123abc SELECT pwd FROM USERS WHERE uname IS '$uname'; SELECT pwd FROM USERS WHERE uname IS ''; Bad Guy DROP TABLE USERS; server DB server
  • 23. SQL Injection: Protection 1. Enforce least privilege 2. Avoid detailed error messages 3. Do not send dynamic queries 4. Be careful when using stored procedures 5. Do not use dynamic query interface 6. Do not use simple escaping functions
  • 26. Insecure Remote File Include: Overview Malicious file execution vulnerabilities are found in many applications. Developers will often directly use or concatenate potentially hostile input with file or stream functions, or improperly trust input files. include $_REQUEST['filename’];
  • 27. Insecure Remote File Include: How it works. <select name=quot;languagequot;> <option value=quot;frquot;></option> </select> require_once ($_REQUEST[quot;languagequot;].quot;lang.phpquot;); <select name=quot;languagequot;> <option value=quot;frquot;>French</option> <option value=quot;../../../../etc/passwd%00quot;>Show your passwords</ option> </select>
  • 28. Insecure Remote File Include: Protection In general, a well‐written application will not use user‐supplied input in any filename for any server‐based resource(such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server.
  • 31. Insecure Direct Object Reference: Overview A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Unless an access control check is in place, an attacker can manipulate those references to access other objects without authorization.
  • 32. Insecure Direct Object Reference: How it works. Unauthorized user has access to any cart. int cartID = Integer.parseInt( request.getParameter( quot;cartIDquot; ) ); String query = quot;SELECT * FROM table WHERE cartID=quot; + cartID; Preventing: int cartID = Integer.parseInt( request.getParameter( quot;cartIDquot; ) ); User user = (User)request.getSession().getAttribute( quot;userquot; ); String query = quot;SELECT * FROM table WHERE cartID=quot; + cartID + quot; AND userID=quot; + user.getID();
  • 33. Insecure Direct Object Reference: Protection 1. Avoid exposing your private object references to users whenever possible. 2. Verify authorization to all referenced objects
  • 36. Cross Site Request Forgery: Overview A CSRF attack forces a logged‐on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim, to the benefit of the attacker.
  • 37. Cross Site Request Forgery: How it works. Peter bank.com /login.html /auth Cookie: sessionid:1234567 /viewbalance Cookie: sessionid:1234567 Your balance is 50 000 $
  • 38. Cross Site Request Forgery: How it works. Peter bank.com evil.com /login.html /auth Cookie: sessionid:1234567 /index.html ... <img src=quot;http://bank.com/paybill?addr=...&amount=1000quot;/> ... /paybill?addr=...&amount=1000 Cookie: sessionid:1234567 OK. Payment sent!
  • 41. Others 6. Information Leakage And Improper Error Handling 7. Broken Authentication And Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure To Restrict URL Access