SlideShare une entreprise Scribd logo

Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013

Télécharger en tant que PPTX, PDF
Lostar
Lostar
Technologie
1  sur  26
The “Top 10” Web Application Security Risks Murat Lostar
Why Web Application Security? • Mid – late 90s. • Early – 2000s. • Today • Tomorrow - Cloud, M2M • Always - People
OWASP – Top10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Functional Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards
1. Injection • Application sends untrusted data to an interpreter • Types: SQL, LDAP, Xpath, NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc.
Injection Example • If exist (Select * from users where id= ‘@Name’ and pw= ‘@Pass’;) then logon successful
Injection Example • Username: admin • Password: ‘ or 1=1 -- • If exist (Select * from users where id= ‘admin‘ and pw= ‘‘ or 1=1 --’;) • Logon successful
Free Injection Scanner (example) • http://www.mavitunasecurity.com/community edition/
2. Broken Authentication and Session Management Reinventing the wheel… … not quite.
Example: Session Fixation
3. Cross-Site Scripting (XSS) • Using the vulnerable web site to attack another user (victim)
Different XSS Types XSS Persistent Stored Distributed Non- Persistent Reflected DOM- Based Combined
4. Insecure Direct Object References • User logs into the application • Can see own account information http://example.com/app/accountInfo?acct=MyAcctNumber • Is it possible to get other account infos? http://example.com/app/accountInfo?acct=NotMyAcctNumber
5. Security Misconfiguration
Questions to ask • Software out of date? (OS, Web/App Server, DBMS, applications, and all code libraries) • Unnecessary features enabled or installed? (ports, services, pages, accounts, privileges, …) • Default accounts and their passwords still the same? • Default error messages? • Insecure development frameworks settings?
6. Sensitive Data Exposure • Data stored in clear text long term, including backups • Data transmitted in clear text, internally or externally • Old / weak cryptographic algorithms • Weak crypto keys generated / No proper key management
Test yourself • HTTPS/SSL: http://www.ssllabs.com/ssltest/ • EMAIL/TLS: http://www.checktls.com
7. Missing Functional Level Access Control • Using the URL independent of logon process without authorization
8. Cross-Site Request Forgery (CSRF) • Money transfer app for the bank: – GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 • Preparing false URL: – http://bank.com/transfer.do?acct=MARIA&amount=100000 • Trick the user to send this URL: – <a href="http://bank.com/transfer.do?acct=MARIA&amount=10000 0">View my Pictures!</a> – <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000 " width="1" height="1" border="0">
CSRF Testing www.owasp.org/index.ph p/CSRFTester
9. Using Known Vulnerable Components • Using old, unpatched components within applications • Most difficult to discover • Requires detailed inventory of components to mitigate
10. Unvalidated Redirects and Forwards • http://www.example.com/redirect.jsp?url =evil.com • http://www.example.com/boring.jsp?fwd= admin.jsp • Check for spider 300-307 (302) responses
How to prevent/solve these? - %80 - %20 rule
Input validation • White-listing (BEST) • Black-listing • Sanitizing • Data type • Data format • Data lenght
Use strong authentication • Something you know – Passwords, PINS, etc • Something you have – Mobile phones (SMS), bank cards, OTP, etc • Something you are – Fingerprint, retina, voice, etc
Last words • Web application security requires – Secure software lifecycle • Risk management • Security KPIs • Code security review (automated & automatic) – Continuous monitoring and pen testing – Management commitment
Thank you. • Murat Lostar – Linkedin.com/in/lostar – www.lostar.com – Refs: OWASP, CERT, WIKIPEDIA, ISACA

Recommandé

OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 

Recommandé

OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzingBlueinfy Solutions
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 

Contenu connexe

Tendances

Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 

Tendances (20)

Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
 

Similaire à Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 

Similaire à Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 (20)

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Web Security
Web SecurityWeb Security
Web Security
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 

Plus de Lostar

VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarVERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarLostar
 
KVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuKVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuLostar
 
DDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıDDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıLostar
 
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Lostar
 
Endüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiEndüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiLostar
 
IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017Lostar
 
Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Lostar
 
Wannacry.Lostar
Wannacry.LostarWannacry.Lostar
Wannacry.LostarLostar
 
BLOCKCHAIN
BLOCKCHAINBLOCKCHAIN
BLOCKCHAINLostar
 
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerDijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerLostar
 
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuKişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuLostar
 
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiHerşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiLostar
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarBulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarLostar
 
Lostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar
 
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Lostar
 
Tedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıTedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıLostar
 
Tedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerTedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerLostar
 
Yeni TTK Guvenlik
Yeni TTK GuvenlikYeni TTK Guvenlik
Yeni TTK GuvenlikLostar
 
Risk IT
Risk ITRisk IT
Risk ITLostar
 

Plus de Lostar (20)

VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarVERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
 
KVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuKVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT Uyumu
 
DDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıDDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme Saldırıları
 
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
 
Endüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiEndüstri 4.0 Güvenliği
Endüstri 4.0 Güvenliği
 
IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017
 
Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0
 
Wannacry.Lostar
Wannacry.LostarWannacry.Lostar
Wannacry.Lostar
 
BLOCKCHAIN
BLOCKCHAINBLOCKCHAIN
BLOCKCHAIN
 
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerDijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
 
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuKişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
 
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiHerşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
 
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarBulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
 
Lostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 Guvenlik
 
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
 
Tedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıTedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol Haritası
 
Tedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerTedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve Riskler
 
Yeni TTK Guvenlik
Yeni TTK GuvenlikYeni TTK Guvenlik
Yeni TTK Guvenlik
 
Risk IT
Risk ITRisk IT
Risk IT
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013

  • 1. The “Top 10” Web Application Security Risks Murat Lostar
  • 2. Why Web Application Security? • Mid – late 90s. • Early – 2000s. • Today • Tomorrow - Cloud, M2M • Always - People
  • 3. OWASP – Top10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Functional Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards
  • 4. 1. Injection • Application sends untrusted data to an interpreter • Types: SQL, LDAP, Xpath, NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc.
  • 5. Injection Example • If exist (Select * from users where id= ‘@Name’ and pw= ‘@Pass’;) then logon successful
  • 6. Injection Example • Username: admin • Password: ‘ or 1=1 -- • If exist (Select * from users where id= ‘admin‘ and pw= ‘‘ or 1=1 --’;) • Logon successful
  • 7. Free Injection Scanner (example) • http://www.mavitunasecurity.com/community edition/
  • 8. 2. Broken Authentication and Session Management Reinventing the wheel… … not quite.
  • 10. 3. Cross-Site Scripting (XSS) • Using the vulnerable web site to attack another user (victim)
  • 11. Different XSS Types XSS Persistent Stored Distributed Non- Persistent Reflected DOM- Based Combined
  • 12. 4. Insecure Direct Object References • User logs into the application • Can see own account information http://example.com/app/accountInfo?acct=MyAcctNumber • Is it possible to get other account infos? http://example.com/app/accountInfo?acct=NotMyAcctNumber
  • 14. Questions to ask • Software out of date? (OS, Web/App Server, DBMS, applications, and all code libraries) • Unnecessary features enabled or installed? (ports, services, pages, accounts, privileges, …) • Default accounts and their passwords still the same? • Default error messages? • Insecure development frameworks settings?
  • 15. 6. Sensitive Data Exposure • Data stored in clear text long term, including backups • Data transmitted in clear text, internally or externally • Old / weak cryptographic algorithms • Weak crypto keys generated / No proper key management
  • 17. 7. Missing Functional Level Access Control • Using the URL independent of logon process without authorization
  • 18. 8. Cross-Site Request Forgery (CSRF) • Money transfer app for the bank: – GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 • Preparing false URL: – http://bank.com/transfer.do?acct=MARIA&amount=100000 • Trick the user to send this URL: – <a href="http://bank.com/transfer.do?acct=MARIA&amount=10000 0">View my Pictures!</a> – <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000 " width="1" height="1" border="0">
  • 20. 9. Using Known Vulnerable Components • Using old, unpatched components within applications • Most difficult to discover • Requires detailed inventory of components to mitigate
  • 21. 10. Unvalidated Redirects and Forwards • http://www.example.com/redirect.jsp?url =evil.com • http://www.example.com/boring.jsp?fwd= admin.jsp • Check for spider 300-307 (302) responses
  • 22. How to prevent/solve these? - %80 - %20 rule
  • 23. Input validation • White-listing (BEST) • Black-listing • Sanitizing • Data type • Data format • Data lenght
  • 24. Use strong authentication • Something you know – Passwords, PINS, etc • Something you have – Mobile phones (SMS), bank cards, OTP, etc • Something you are – Fingerprint, retina, voice, etc
  • 25. Last words • Web application security requires – Secure software lifecycle • Risk management • Security KPIs • Code security review (automated & automatic) – Continuous monitoring and pen testing – Management commitment
  • 26. Thank you. • Murat Lostar – Linkedin.com/in/lostar – www.lostar.com – Refs: OWASP, CERT, WIKIPEDIA, ISACA

Notes de l'éditeur

  1. The “Top 10” Web Application Security Risks Speaker Murat LostarCEOLostar Information SecurityAfter completing this session, you will be able to:• Recognize the Top 10 Web Application Security Risks along with the vulnerabilities that cause them• Use open source tools to identify if these risks are present in your enterprise• Participate in detailed risk mitigation examplesdrawn from banking, telecommunications, online retail and transportation• Evaluate and effectively utilize web development tools for security testing• Utilize proven methodologies and approaches to mitigate these risks in your organisation