SlideShare une entreprise Scribd logo

Infragard 2004 - Web Attacks and Defenses

Tyler Shields
Tyler Shields

Web attack presentation circa 2004

Technologie
1  sur  35
Web Attacks and Defenses Vulnerable .Net PetStore Demo Tyler Shields & Anthony Barkley July 12, 2004
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Agenda Introduction Application Attacks Overview Attack Methodologies Demonstration Platform Details Demo of Common Vulnerabilities Cross-site Scripting Directory Traversal SQL Injection Verbose Error Messages Price Fixing (aka Parameter Tampering) Information Disclosure Review Questions
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Introduction @Stake, Inc. – Premier digital security consulting company – Services cover key aspects of security, including applications security, critical infrastructure, wireless and wired networks, storage systems, education, and incident readiness. – @stake clients include six of the world's top ten financial institutions, four of the world's top ten independent software companies and seven of the world's top ten telecommunications carriers. – Offices in RTP, Chicago, London, Boston, San Francisco, Seattle, New York City, Denver.
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Introduction Anthony Barkley – Technical Director for @stake's RTP office. He has been working in the security industry for over a decade with his primary focus on security for enterprise and Application Service Provider (ASP) infrastructures. His professional experience includes systems integration, internetworking, security architecture, teaching, and project management from concept to implementation. Anthony holds a BA from North Carolina State University and has completed numerous certifications, including the CCSA, CCSE, MCSA, MCSE and CISSP. Tyler Shields – Senior Security Architect with @stake, Inc. Tyler's primary focus is application penetration testing and analysis. He has presented at major industry conferences, taught security courses, and has been involved in the security community for nearly a decade contributing to many prominent mailing lists and open source security projects. Tyler graduated from the Rochester Institute of Technology, in Rochester, NY with a BS in Information Technology and since has acquired a number of security certifications including his CCSA, CCSE, and CISSP.
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Application Attacks Overview Application security measures are often implemented at the network level – This will not work effectively as network ACLs cannot protect against the use of valid connections – Network security cannot generally provide adequate protection at the application level – Network implemented application controls may introduce significant impact on performance Applications are the next generation attack point – Information about application attacks is more readily available – Protections against application attacks are not as robust or mature as network security – Tools for testing applications are becoming more readily available
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Application Attacks Overview Applications are targeted because they are the access point for data, products, resources, and money – Even with conventional network defense, many applications can be attacked – Security controls around applications can be bypassed, which allows attackers to: Modify information Steal products Credit money to accounts – In some cases the attack may grant access to other portions of the application or to the environment – The attack may not even involve theft If the attacker understands the system being attacked, it is possible that they will be able to merely “borrow” resources
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology Discover Target Attack
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Discover Examine the environment – Identify what types and version of applications are running (banners/headers) – Identify what ports are open for communication to the server and the application – Examine extensions: foo.jhtml, foo.shtml - will often reveal the application server engine (weblogic, coldfusion, tomcat, etc.) Generate and examine errors – Submit ridiculous input and monitor response (fuzzing) – Database errors are extremely helpful Look for information left behind from development – Sample code or snippets
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Discover Look for configuration errors: – Use a sniffer to examine traffic – Review client software – Use network scanning and probing tools Look for environment errors: – Identify ways to circumvent application security controls – Reveal program data flow and logic flow – Reveal critical systems that are easier to attack than the original target
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Discover Use a debug proxy to intercept client-server communications – Observe application traffic and modify components of application traffic independently of the client – Look for hidden fields and notes embedded in the source – Developers tend to make assumptions about the integrity of “client” generated data, like headers and other data that is supposedly concealed from the user -- abuse these assumptions Include a regular expression engine to make on the fly replacements Use an existing tool or a write a new one – HTTP: HTTPush, RFProxy, @stake Webproxy
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Target Login Mechanism Session Management Input Fields Unprotected Interfaces Application Related Infrastructure Application Related Networks
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Demonstration Platform Details Microsoft .Net PetShop 3.0 is Microsoft’s implementation of a J2EE sample application. – Original application can be found at : http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnbda/html/psimp.asp?frame=true Does not out of the box have these vulnerabilities – Added by @stake for demonstration purposes Vulnerabilities based on common web application issues found in production environments. Platform built on Windows 2000 Server, IIS 5.0 and SQL Server 2000
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Demonstration Platform Details What it is and what does it do Vulnerability identification Execution of the vulnerability Review of faulty application code Possible mitigation techniques
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities - Cross Site Scripting (XSS) What it is and what does it do – XSS is the injection of code or script into a web page that is then displayed to a third party executing the script in the context of their web browser. Vulnerability identification – Look for anywhere were client supplied data is redisplayed to the end user and not properly input validated or output encoded. Execution of the vulnerability – Inject some simple script and see if the resulting page contains your data.
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities - Cross Site Scripting (XSS) Review of faulty application code – Search Results for "<%=Request["keywords"]%>“ – Lack of input validation and output encoding Possible mitigation techniques – Input validation and output encoding The original code htmlEncodes suspicious values on output Validate all input against a known set of approved characters – Defense in depth: Truncate all input fields to a max reasonable length Out-of the box .Net bans ‘<‘
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Cross Site Scripting Demonstration http://TARGETIP/MSPetShop/Search.aspx?keywords=<script>alert("hello%20world");</script>
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – SQL Injection What it is and what does it do – SQL Injection is a vulnerability allowing an attacker to submit SQL statements of their choosing that are then processed by the application. Vulnerability identification – Typical identification techniques include submitting characters such as ‘, “, or – characters into an input field. Based on the resulting errors and/or data, SQL Injection points may be identified. Execution of the vulnerability – Longer cycle of execution. Based on resulting error pages and/or data the entire database schema and stored data may be compromised.
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – SQL Injection Review of faulty application code – string sql = "SELECT Item.ItemId, Item.Attr1, Inventory.Qty, Item.ListPrice, Product.Name, Product.Descn FROM Item INNER JOIN Inventory ON Item.ItemId = Inventory.ItemId INNER JOIN Product ON Item.ProductId = Product.ProductId WHERE Item.ItemId = '"+itemId+"';"; – Lack of input validation – Dynamically concatenated SQL statements
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – SQL Injection Possible mitigation techniques – Input Validation The original code htmlEncodes suspicious values such as ’ Input validation: itemId should not contain anything but A-Z,0-9 and not be longer than 15 characters. Use white-list based input filtering. – Prepared statements Arguments are added to the statement after it is parsed for validation Limited privileges: Create a “browse” identity with only select privileges on the products tables
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. SQL Injection Demonstration http://TARGETIP/MSPetShop/Items.aspx?productId=FI-FW- 01'%20union%20select%20*%20from%20credentials;--
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Price Fixing What it is and what does it do – Commonly referred to as parameter manipulation attacks – Allows the attacker to modify values that are then utilized by the application in an unchecked fashion Vulnerability identification – Modification of parameters in a logical fashion in an attempt to verify the validation and authorization routines of the application server Execution of the vulnerability – If possible modify in the URL directly – Alternatively utilize an http(s) intercepting proxy
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Price Fixing Review of faulty application code – decimal price = decimal.Parse(Request["UnitPrice"]); myCart.Add(itemId,price); – Data stored client side utilized directly in the application business logic – No verification of pricing (parameter) against server side data Possible mitigation techniques – Do not store sensitive information client side If you must, encrypt and sign the data – Do not trust client data Verify that user supplied data has not been tampered with
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Price Fixing - Demonstration http://TARGETIP/MSPetShop/ShoppingCart.aspx?itemId=EST-4&UnitPrice=0.99
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Directory Traversal What it is and what does it do – Allow the attacker to download or gain access to files outside of the normal web directory structure Vulnerability identification – Manipulation of parameters with .. And / or characters in an attempt to bypass normal directory structures Execution of the vulnerability – Modify the parameters within the URL – Alternatively intercept the request and modify hidden fields or modify the content of the HTTP POST
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Directory Traversal Review of faulty application code – string path = "c:PetStore.review"+itemId; using (StreamReader sr = new StreamReader(path)) – Lack of input validation – File access granted where not specifically required Possible mitigation techniques – Validate all input – Utilize a lower privileged account – Only grant permissions on specifically required files – Use “Mappath” method to safely generate a file path
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Directory Traversal - Demonstration http://TARGETIP/MSPetShop/ItemDetails.aspx?itemId=..odbcconf.log
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Verbose Error Messages What it is and what does it do – Presenting the end user with verbose error messages including potentially sensitive information – Utilized to further other attacks against the system Vulnerability identification – No special technique required – Review all error messages in detail Execution of the vulnerability – May directly result in an attack vector presenting itself for exploit – May leak information that can be used in conjunction with other attack vectors
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Verbose Error Messages Review of faulty application code – Configuration error allowing the web service to be available for requests – Error presents detailed information Possible mitigation techniques – Modify the resulting page to have a limited error message – Configure the server so this functionality is not available or remove it all together
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Verbose Error Messages - Demonstration http://192.168.0.180/MSPetShop/WebServices.asmx?op=SignOn
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Information Disclosure What it is and what does it do – Default functionality leaks information – Allows an attacker to gain knowledge about the target environment – May leak sensitive data Vulnerability identification – Subtle differences in information displayed in the browser – Comments left in production code – Application functionality that does not require authentication
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Information Disclosure Execution of the vulnerability – Varies dependant upon the type of information disclosure – May be an error scenario – May be standard functionality available without authentication Review of faulty application code – Commonly a configuration error – May be extra information in comments or in presented data Possible mitigation techniques – Require authentication on all requests – Verify presented data can not be used against in other attacks
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Information Disclosure - Demonstration
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Review - Attacks Cross-site Scripting SQL Injection Price Fixing (aka Parameter Tampering) Directory Traversal Verbose Error Messages Information Disclosure
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Review - Defenses Input validation Output sanitation and encoding Least privilege accounts and account permissions Limit error message information Require authentication and authorization for all requests Harden the web application removing extraneous content
PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Questions

Recommandé

Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 

Recommandé

Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Owasp
Owasp Owasp
Owasp penetration Tester
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanAsad Zaman
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013 The eCore Group
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSREAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSForgeRock
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughSavvius, Inc
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 

Contenu connexe

Tendances

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanAsad Zaman
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSREAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSForgeRock
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughSavvius, Inc
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
 

Tendances (20)

Application security
Application securityApplication security
Application security
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Owasp
Owasp Owasp
Owasp
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _Zaman
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSREAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
 

En vedette

IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101Tyler Shields
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTyler Shields
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowTyler Shields
 
BRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the BerriesBRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the BerriesTyler Shields
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyTyler Shields
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Web application security
Web application securityWeb application security
Web application securityrandhawa121985
 
Behind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksBehind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksMaurizio Abbà
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack 2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack Raleigh ISSA
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 

En vedette (20)

IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
 
BRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the BerriesBRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the Berries
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Web application security
Web application securityWeb application security
Web application security
 
Behind The Scenes Of Web Attacks
Behind The Scenes Of Web AttacksBehind The Scenes Of Web Attacks
Behind The Scenes Of Web Attacks
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Web attacks
Web attacksWeb attacks
Web attacks
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack 2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Web hack & attacks
Web hack & attacksWeb hack & attacks
Web hack & attacks
 

Similaire à Infragard 2004 - Web Attacks and Defenses

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security TutorialJorgen Thelin
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxvrickens
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_dsArun Gopinath
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story42Crunch
 

Similaire à Infragard 2004 - Web Attacks and Defenses (20)

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security Tutorial
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docx
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_ds
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 

Plus de Tyler Shields

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Tyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaTyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesTyler Shields
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers ViewTyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyTyler Shields
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityTyler Shields
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More ProblemsTyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerTyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksTyler Shields
 

Plus de Tyler Shields (20)

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social Media
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Infragard 2004 - Web Attacks and Defenses

  • 1. Web Attacks and Defenses Vulnerable .Net PetStore Demo Tyler Shields & Anthony Barkley July 12, 2004
  • 2. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Agenda Introduction Application Attacks Overview Attack Methodologies Demonstration Platform Details Demo of Common Vulnerabilities Cross-site Scripting Directory Traversal SQL Injection Verbose Error Messages Price Fixing (aka Parameter Tampering) Information Disclosure Review Questions
  • 3. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Introduction @Stake, Inc. – Premier digital security consulting company – Services cover key aspects of security, including applications security, critical infrastructure, wireless and wired networks, storage systems, education, and incident readiness. – @stake clients include six of the world's top ten financial institutions, four of the world's top ten independent software companies and seven of the world's top ten telecommunications carriers. – Offices in RTP, Chicago, London, Boston, San Francisco, Seattle, New York City, Denver.
  • 4. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Introduction Anthony Barkley – Technical Director for @stake's RTP office. He has been working in the security industry for over a decade with his primary focus on security for enterprise and Application Service Provider (ASP) infrastructures. His professional experience includes systems integration, internetworking, security architecture, teaching, and project management from concept to implementation. Anthony holds a BA from North Carolina State University and has completed numerous certifications, including the CCSA, CCSE, MCSA, MCSE and CISSP. Tyler Shields – Senior Security Architect with @stake, Inc. Tyler's primary focus is application penetration testing and analysis. He has presented at major industry conferences, taught security courses, and has been involved in the security community for nearly a decade contributing to many prominent mailing lists and open source security projects. Tyler graduated from the Rochester Institute of Technology, in Rochester, NY with a BS in Information Technology and since has acquired a number of security certifications including his CCSA, CCSE, and CISSP.
  • 5. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Application Attacks Overview Application security measures are often implemented at the network level – This will not work effectively as network ACLs cannot protect against the use of valid connections – Network security cannot generally provide adequate protection at the application level – Network implemented application controls may introduce significant impact on performance Applications are the next generation attack point – Information about application attacks is more readily available – Protections against application attacks are not as robust or mature as network security – Tools for testing applications are becoming more readily available
  • 6. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Application Attacks Overview Applications are targeted because they are the access point for data, products, resources, and money – Even with conventional network defense, many applications can be attacked – Security controls around applications can be bypassed, which allows attackers to: Modify information Steal products Credit money to accounts – In some cases the attack may grant access to other portions of the application or to the environment – The attack may not even involve theft If the attacker understands the system being attacked, it is possible that they will be able to merely “borrow” resources
  • 7. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology Discover Target Attack
  • 8. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Discover Examine the environment – Identify what types and version of applications are running (banners/headers) – Identify what ports are open for communication to the server and the application – Examine extensions: foo.jhtml, foo.shtml - will often reveal the application server engine (weblogic, coldfusion, tomcat, etc.) Generate and examine errors – Submit ridiculous input and monitor response (fuzzing) – Database errors are extremely helpful Look for information left behind from development – Sample code or snippets
  • 9. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Discover Look for configuration errors: – Use a sniffer to examine traffic – Review client software – Use network scanning and probing tools Look for environment errors: – Identify ways to circumvent application security controls – Reveal program data flow and logic flow – Reveal critical systems that are easier to attack than the original target
  • 10. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Discover Use a debug proxy to intercept client-server communications – Observe application traffic and modify components of application traffic independently of the client – Look for hidden fields and notes embedded in the source – Developers tend to make assumptions about the integrity of “client” generated data, like headers and other data that is supposedly concealed from the user -- abuse these assumptions Include a regular expression engine to make on the fly replacements Use an existing tool or a write a new one – HTTP: HTTPush, RFProxy, @stake Webproxy
  • 11. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Attack Methodology: Target Login Mechanism Session Management Input Fields Unprotected Interfaces Application Related Infrastructure Application Related Networks
  • 12. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Demonstration Platform Details Microsoft .Net PetShop 3.0 is Microsoft’s implementation of a J2EE sample application. – Original application can be found at : http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnbda/html/psimp.asp?frame=true Does not out of the box have these vulnerabilities – Added by @stake for demonstration purposes Vulnerabilities based on common web application issues found in production environments. Platform built on Windows 2000 Server, IIS 5.0 and SQL Server 2000
  • 13. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Demonstration Platform Details What it is and what does it do Vulnerability identification Execution of the vulnerability Review of faulty application code Possible mitigation techniques
  • 14. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities - Cross Site Scripting (XSS) What it is and what does it do – XSS is the injection of code or script into a web page that is then displayed to a third party executing the script in the context of their web browser. Vulnerability identification – Look for anywhere were client supplied data is redisplayed to the end user and not properly input validated or output encoded. Execution of the vulnerability – Inject some simple script and see if the resulting page contains your data.
  • 15. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities - Cross Site Scripting (XSS) Review of faulty application code – Search Results for "<%=Request["keywords"]%>“ – Lack of input validation and output encoding Possible mitigation techniques – Input validation and output encoding The original code htmlEncodes suspicious values on output Validate all input against a known set of approved characters – Defense in depth: Truncate all input fields to a max reasonable length Out-of the box .Net bans ‘<‘
  • 16. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Cross Site Scripting Demonstration http://TARGETIP/MSPetShop/Search.aspx?keywords=<script>alert("hello%20world");</script>
  • 17. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – SQL Injection What it is and what does it do – SQL Injection is a vulnerability allowing an attacker to submit SQL statements of their choosing that are then processed by the application. Vulnerability identification – Typical identification techniques include submitting characters such as ‘, “, or – characters into an input field. Based on the resulting errors and/or data, SQL Injection points may be identified. Execution of the vulnerability – Longer cycle of execution. Based on resulting error pages and/or data the entire database schema and stored data may be compromised.
  • 18. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – SQL Injection Review of faulty application code – string sql = "SELECT Item.ItemId, Item.Attr1, Inventory.Qty, Item.ListPrice, Product.Name, Product.Descn FROM Item INNER JOIN Inventory ON Item.ItemId = Inventory.ItemId INNER JOIN Product ON Item.ProductId = Product.ProductId WHERE Item.ItemId = '"+itemId+"';"; – Lack of input validation – Dynamically concatenated SQL statements
  • 19. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – SQL Injection Possible mitigation techniques – Input Validation The original code htmlEncodes suspicious values such as ’ Input validation: itemId should not contain anything but A-Z,0-9 and not be longer than 15 characters. Use white-list based input filtering. – Prepared statements Arguments are added to the statement after it is parsed for validation Limited privileges: Create a “browse” identity with only select privileges on the products tables
  • 20. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. SQL Injection Demonstration http://TARGETIP/MSPetShop/Items.aspx?productId=FI-FW- 01'%20union%20select%20*%20from%20credentials;--
  • 21. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Price Fixing What it is and what does it do – Commonly referred to as parameter manipulation attacks – Allows the attacker to modify values that are then utilized by the application in an unchecked fashion Vulnerability identification – Modification of parameters in a logical fashion in an attempt to verify the validation and authorization routines of the application server Execution of the vulnerability – If possible modify in the URL directly – Alternatively utilize an http(s) intercepting proxy
  • 22. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Price Fixing Review of faulty application code – decimal price = decimal.Parse(Request["UnitPrice"]); myCart.Add(itemId,price); – Data stored client side utilized directly in the application business logic – No verification of pricing (parameter) against server side data Possible mitigation techniques – Do not store sensitive information client side If you must, encrypt and sign the data – Do not trust client data Verify that user supplied data has not been tampered with
  • 23. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Price Fixing - Demonstration http://TARGETIP/MSPetShop/ShoppingCart.aspx?itemId=EST-4&UnitPrice=0.99
  • 24. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Directory Traversal What it is and what does it do – Allow the attacker to download or gain access to files outside of the normal web directory structure Vulnerability identification – Manipulation of parameters with .. And / or characters in an attempt to bypass normal directory structures Execution of the vulnerability – Modify the parameters within the URL – Alternatively intercept the request and modify hidden fields or modify the content of the HTTP POST
  • 25. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Directory Traversal Review of faulty application code – string path = "c:PetStore.review"+itemId; using (StreamReader sr = new StreamReader(path)) – Lack of input validation – File access granted where not specifically required Possible mitigation techniques – Validate all input – Utilize a lower privileged account – Only grant permissions on specifically required files – Use “Mappath” method to safely generate a file path
  • 26. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Directory Traversal - Demonstration http://TARGETIP/MSPetShop/ItemDetails.aspx?itemId=..odbcconf.log
  • 27. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Verbose Error Messages What it is and what does it do – Presenting the end user with verbose error messages including potentially sensitive information – Utilized to further other attacks against the system Vulnerability identification – No special technique required – Review all error messages in detail Execution of the vulnerability – May directly result in an attack vector presenting itself for exploit – May leak information that can be used in conjunction with other attack vectors
  • 28. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Verbose Error Messages Review of faulty application code – Configuration error allowing the web service to be available for requests – Error presents detailed information Possible mitigation techniques – Modify the resulting page to have a limited error message – Configure the server so this functionality is not available or remove it all together
  • 29. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Verbose Error Messages - Demonstration http://192.168.0.180/MSPetShop/WebServices.asmx?op=SignOn
  • 30. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Information Disclosure What it is and what does it do – Default functionality leaks information – Allows an attacker to gain knowledge about the target environment – May leak sensitive data Vulnerability identification – Subtle differences in information displayed in the browser – Comments left in production code – Application functionality that does not require authentication
  • 31. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Common Vulnerabilities – Information Disclosure Execution of the vulnerability – Varies dependant upon the type of information disclosure – May be an error scenario – May be standard functionality available without authentication Review of faulty application code – Commonly a configuration error – May be extra information in comments or in presented data Possible mitigation techniques – Require authentication on all requests – Verify presented data can not be used against in other attacks
  • 32. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Information Disclosure - Demonstration
  • 33. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Review - Attacks Cross-site Scripting SQL Injection Price Fixing (aka Parameter Tampering) Directory Traversal Verbose Error Messages Information Disclosure
  • 34. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Review - Defenses Input validation Output sanitation and encoding Least privilege accounts and account permissions Limit error message information Require authentication and authorization for all requests Harden the web application removing extraneous content
  • 35. PROPRIETARY AND CONFIDENTIAL ©2003 @STAKE, INC. Questions