SlideShare une entreprise Scribd logo

Xebia Knowledge Exchange - Owasp Top Ten

Publicis Sapient Engineering
Publicis Sapient Engineering

This document provides an overview and recommendations for securing Java web applications against the OWASP Top 10 security risks. It discusses each risk like cross-site scripting, injection flaws, malicious file execution, insecure direct object references, cross-site request forgery, information leakage, broken authentication, insecure cryptographic storage, and insecure communications. For each risk, it provides examples of how the risk could occur and recommendations for prevention, such as input validation, output encoding, secure configuration, access control, and use of SSL.

Technologie
1  sur  43
Télécharger pour lire hors ligne
www.xebia.fr / blog.xebia.fr OWASP Security Top Ten OWASP top ten and Java protections Cyrille Le Clerc cleclerc@xebia.fr Tuesday, November 24, 2009
OWASP Security Top Ten  This presentation is based on OWASP Top 10 For Java EE The Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applications http://www.owasp.org/index.php/Top_10_2007 2 Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Cross Site Scripting (XSS) Tuesday, November 24, 2009
Cross Site Scripting (XSS)  What ?  Subset of HTML injections  Data provided by malicious users are rendered in web pages and execute scripts  Goal ?  Hijack user session, steal user data, deface web site, etc  Sample  lastName: 4 Cyrille "><script ... /> Tuesday, November 24, 2009
Cross Site Scripting (XSS) How to prevent it ?  Input Validation : JSR 303 Bean Validation 5 public class Person { @Size(min = 1, max = 256) private String lastName; @Size(max = 256) @Pattern(regexp = ".+@.+.[a-z]+") private String email; ... } @Controller("/person") public class PersonController { @RequestMapping(method=RequestMethod.POST) public void save(@Valid Person person) { // ... } } Bean C ontroller Tuesday, November 24, 2009
Cross Site Scripting (XSS) How to prevent it ?  HTML output escaping  JSTL  Expression language danger DO NOT ESCAPE !!!  Spring MVC » Global escaping » Page level 6 <h2>Welcome <c:out value="${person.lastName}" /></h2> <web-app> <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> ... </web-app> JSP EL does N O T escape !!! <h2>Welcome ${person.lastName} NOT ESCAPED !!!</h2> <spring:htmlEscape defaultHtmlEscape="true" /> Tuesday, November 24, 2009
Cross Site Scripting (XSS) How to prevent it ?  Use HTTP Only cookies  Cookies not accessible via javascript  Introduced with Servlet 3.0  Since Tomcat 6.0.20 for session cookies  Manual workaround 7 <Context useHttpOnly="true"> ... </Context> cookie.setHttpOnly(true); response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly"); N o w eb.xm l configuration for JSESSIO N ID Tuesday, November 24, 2009
Cross Site Scripting (XSS) How to prevent it ?  Do not use blacklist validation but blacklist  Forbidden : <script>, <img>  Prefer wiki/forum white list style: [img], [url], [strong] 8 Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Injection Flaws Tuesday, November 24, 2009
Injection Flaws  What ?  Malicious data provided by user to read or modify sensitive data  Types of injection : SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more  Goal ?  Create, modify, delete, read data  Sample  lastName: 10 Cyrille "; INSERT INTO MONEY_TRANSFER ... Tuesday, November 24, 2009
Injection Flaws How to prevent it ?  Input validation  XSD with regular expression, min and max values, etc  JSR 303 Bean Validation 11 Tuesday, November 24, 2009
Injection Flaws How to prevent it ?  Use strongly typed parameterized query API  JDBC  JPA  HTTP  XML  XPath :-( 12 Element lastNameElt = doc.createElement("lastName"); lastNameElt.appendChild(doc.createTextNode(lastName)); GetMethod getMethod = new GetMethod("/findPerson"); getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)}); query.setParameter("lastName", lastName); preparedStatement.setString(1, lastName); Tuesday, November 24, 2009
Injection Flaws How to prevent it ?  If not, use escaping libraries very cautiously !!!  HTML  Javascript  HTTP  XML  Don’t use simple escaping functions ! 13 "<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</lastName>"; "/findPerson?" + URLEncoder.encode(lastName, "UTF-8"); "lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;"; "<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>"; Caution ! StringUtils.replaceChars(lastName, "’", "’’"); Tuesday, November 24, 2009
Injection Flaws How to prevent it ?  Don’t use dynamic queries at all ! 14 JPA 2 C riteria API if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'"; } Map<String, Object> parameters = new HashMap<String, Object>(); if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like :lastName "; parameters.put("lastName", lastName); } Query query = entityManager.createQuery(jpaQl); for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue()); } if (StringUtils.isNotEmpty(lastName)) { criteria.add(Restrictions.like("lastName", lastName)); } JPA 1 Q uery API Tuesday, November 24, 2009
Injection Flaws How to prevent it ?  Enforce least privileges  Don’t be root  Limit database access to Data Manipulation Language  Limit file system access  Use firewalls to enter-from / go-to the Internet 15 Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Malicious File Execution Tuesday, November 24, 2009
Malicious File Execution  What ?  Malicious file or file path provided by users access files  Goal ?  Read or modify sensitive data  Remotely execute files (rootkits, etc)  Sample  pictureName: 17 ../../WEB-INF/web.xml Tuesday, November 24, 2009
Malicious File Execution How to prevent it ?  Don’t build file path from user provided data  Don’t execute commands with user provided data  Use an indirection identifier to users  Use firewalls to prevent servers to connect to outside sites 18 String picturesFolder = servletContext.getRealPath("/pictures") ; String pictureName = request.getParameter("pictureName"); File picture = new File((picturesFolder + "/" + pictureName)); Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName")); Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Insecure Direct Object Reference Tuesday, November 24, 2009
Insecure Direct Object Reference  What ?  Transmit user forgeable identifiers without controlling them server side  Goal ?  Create, modify, delete, read other user’s data  Sample 20 <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ... </form> </body><html> ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id")); Tuesday, November 24, 2009
Insecure Direct Object Reference How to prevent it ?  Input identifier validation  reject wildcards (“10%20”)  Add server side identifiers  Control access permissions  See Spring Security 21 Criteria criteria = session.createCriteria(ShoppingCart.class); criteria.add(Restrictions.like("id", request.getParameter("id"))); criteria.add(Restrictions.like("clientId", request.getRemoteUser())); ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult(); Tuesday, November 24, 2009
Insecure Direct Object Reference How to prevent it ?  Use server side indirection with generated random  See org.owasp.esapi.AccessReferenceMap 22 String indirectId = request.getParameter("id"); String id = accessReferenceMap.getDirectReference(indirectId); ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id); String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId()); <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ... </form> </body><html> Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Cross Site Request Forgery (CSRF) Tuesday, November 24, 2009
Cross Site Request Forgery (CSRF)  What ?  Assume that the user is logged to another web site and send a malicious request  Ajax web sites are very exposed !  Goal ?  Perform operations without asking the user  Sample 24 http://mybank.com/transfer.do?amount=100000&recipientAccount=12345 Tuesday, November 24, 2009
Cross Site Request Forgery (CSRF) How to prevent it ?  Ensure that no XSS vulnerability exists in your application  Use a random token in sensitive forms  Spring Web Flow and Struts 2 provide such random token mechanisms  Re-authenticate user for sensitive operations 25 <form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" /> <input name="amount" /> ... </form> Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Information Leakage and Improper Exception Handling Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling  What ?  Sensitive code details given to hackers  Usually done raising exceptions  Goal ?  Discover code details to discover vulnerabilities 27 Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling  Sample 28 Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling How to prevent it ?  Avoid detailed error messages  Beware of development mode messages !  web.xml  Tomcat 29 <web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ... </web-app> <Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service> </Server> Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling How to prevent it ?  Don’t display stack traces in Soap Faults  Sanitize GUI error messages  Sample : “Invalid login or password” 30 Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Broken Authentication and Session Management Tuesday, November 24, 2009
Broken Authentication and Session Management  What ?  Web authentication and session handling have many tricks  Goal ?  Hijack user session 32 Tuesday, November 24, 2009
Broken Authentication and Session Management How to prevent it ?  Log session initiation and sensitive data access  Remote Ip, time, login, sensitive data & operation accessed  Use a log4j dedicated non over-written output file  Use out of the box session and authentication mechanisms  Don’t create your own cookies  Look at Spring Security 33 #Audit log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender log4j.appender.audit.datePattern='-'yyyyMMdd log4j.appender.audit.file=audit.log log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n log4j.logger.com.mycompany.audit.Audit=INFO, audit log4j.additivity.com.mycompany.audit.Audit=false Tuesday, November 24, 2009
Broken Authentication and Session Management How to prevent it ?  Use SSL and random token for authentication pages  including login page display  Regenerate a new session on successful authentication  Use Http Only session cookies, don’t use URL rewriting based session handling  Prevent brute force attacks using timeouts or locking password on authentication failures  Don’t store clear text password, consider SSHA 34 Tuesday, November 24, 2009
Broken Authentication and Session Management How to prevent it ?  Use a timeout period  Remember Me cookies must be invalidated on password change (see Spring Security)  Beware not to write password in log files  Server generated passwords (lost password, etc) must be valid only once  Be able to distinguish SSL communications 35 Tuesday, November 24, 2009
Broken Authentication and Session Management How to prevent it ?  For server to server communication, use remote ip control in addition to password validation 36 Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Insecure Cryptographic Storage Tuesday, November 24, 2009
Insecure Cryptographic Storage  What ?  Cryptography has many traps  Goal ?  Steal sensitive data 38 Tuesday, November 24, 2009
Insecure Cryptographic Storage How to prevent it ?  Don’t invent custom cryptography solutions  Java offers approved algorithms for hashing, symmetric key and public key encryptions  Double hashing is a custom weak algorithm  Don’t use weak algorithms  MD5 / SHA1, etc are weak. Prefer SHA-256  Beware of private keys storage  Java doesn’t offer chroot mechanisms to limit private keys files access to root  Storing secrets on servers requires expertise 39 Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr Insecure Communications Tuesday, November 24, 2009
Insecure Communications  What ?  Unsecure communications are easy to hack  Goal ?  Steal sensitive data, hijack user session 41 Tuesday, November 24, 2009
Insecure Communications How to prevent it ?  Use SSL with the Servlet API 42 request.isSecure() <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app> Tuesday, November 24, 2009
Insecure Communications How to prevent it ?  Use SSL with Spring Security 43 <beans ...> <sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http> </beans> Tuesday, November 24, 2009

Recommandé

Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET CoreNETFest
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Recommandé

Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET CoreNETFest
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webPablo Garaizar
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityGuille -bisho-
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки..."Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...MoscowJS
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web MessagingMike Taylor
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 

Contenu connexe

Tendances

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webPablo Garaizar
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityGuille -bisho-
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки..."Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...MoscowJS
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web MessagingMike Taylor
 

Tendances (20)

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares web
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application Security
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки..."Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web Messaging
 

Similaire à Xebia Knowledge Exchange - Owasp Top Ten

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 

Similaire à Xebia Knowledge Exchange - Owasp Top Ten (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 

Plus de Publicis Sapient Engineering

XebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humain
XebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humainXebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humain
XebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humainPublicis Sapient Engineering
 
Xebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveur
Xebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveurXebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveur
Xebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveurPublicis Sapient Engineering
 
XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...
XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...
XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...Publicis Sapient Engineering
 
XebiCon'18 - Des notebook pour le monitoring avec Zeppelin
XebiCon'18 - Des notebook pour le monitoring avec Zeppelin XebiCon'18 - Des notebook pour le monitoring avec Zeppelin
XebiCon'18 - Des notebook pour le monitoring avec Zeppelin Publicis Sapient Engineering
 
XebiCon'18 - Event Sourcing et RGPD, incompatibles ?
XebiCon'18 - Event Sourcing et RGPD, incompatibles ?XebiCon'18 - Event Sourcing et RGPD, incompatibles ?
XebiCon'18 - Event Sourcing et RGPD, incompatibles ?Publicis Sapient Engineering
 
XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?
XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?
XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?Publicis Sapient Engineering
 
XebiCon'18 - Boostez vos modèles avec du Deep Learning distribué
XebiCon'18 - Boostez vos modèles avec du Deep Learning distribuéXebiCon'18 - Boostez vos modèles avec du Deep Learning distribué
XebiCon'18 - Boostez vos modèles avec du Deep Learning distribuéPublicis Sapient Engineering
 
XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...
XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...
XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...Publicis Sapient Engineering
 
XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !
XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !
XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !Publicis Sapient Engineering
 
XebiCon'18 - Comment fausser l'interprétation de vos résultats avec des dataviz
XebiCon'18 - Comment fausser l'interprétation de vos résultats avec des datavizXebiCon'18 - Comment fausser l'interprétation de vos résultats avec des dataviz
XebiCon'18 - Comment fausser l'interprétation de vos résultats avec des datavizPublicis Sapient Engineering
 
XebiCon'18 - Architecturer son application mobile pour la durabilité
XebiCon'18 - Architecturer son application mobile pour la durabilitéXebiCon'18 - Architecturer son application mobile pour la durabilité
XebiCon'18 - Architecturer son application mobile pour la durabilitéPublicis Sapient Engineering
 
XebiCon'18 - Sécuriser son API avec OpenID Connect
XebiCon'18 - Sécuriser son API avec OpenID ConnectXebiCon'18 - Sécuriser son API avec OpenID Connect
XebiCon'18 - Sécuriser son API avec OpenID ConnectPublicis Sapient Engineering
 
XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...
XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...
XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...Publicis Sapient Engineering
 
XebiCon'18 - La sécurité, douce illusion même en 2018
XebiCon'18 - La sécurité, douce illusion même en 2018XebiCon'18 - La sécurité, douce illusion même en 2018
XebiCon'18 - La sécurité, douce illusion même en 2018Publicis Sapient Engineering
 
XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...
XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...
XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...Publicis Sapient Engineering
 
XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...
XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...
XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...Publicis Sapient Engineering
 

Plus de Publicis Sapient Engineering (20)

XebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humain
XebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humainXebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humain
XebiCon'18 - L'algorithme de reconnaissance de formes par le cerveau humain
 
Xebicon'18 - IoT: From Edge to Cloud
Xebicon'18 - IoT: From Edge to CloudXebicon'18 - IoT: From Edge to Cloud
Xebicon'18 - IoT: From Edge to Cloud
 
Xebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveur
Xebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveurXebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveur
Xebicon'18 - Spark in jail : conteneurisez vos traitements data sans serveur
 
XebiCon'18 - Modern Infrastructure
XebiCon'18 - Modern InfrastructureXebiCon'18 - Modern Infrastructure
XebiCon'18 - Modern Infrastructure
 
XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...
XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...
XebiCon'18 - La Web App d'aujourd'hui et de demain : état de l'art et bleedin...
 
XebiCon'18 - Des notebook pour le monitoring avec Zeppelin
XebiCon'18 - Des notebook pour le monitoring avec Zeppelin XebiCon'18 - Des notebook pour le monitoring avec Zeppelin
XebiCon'18 - Des notebook pour le monitoring avec Zeppelin
 
XebiCon'18 - Event Sourcing et RGPD, incompatibles ?
XebiCon'18 - Event Sourcing et RGPD, incompatibles ?XebiCon'18 - Event Sourcing et RGPD, incompatibles ?
XebiCon'18 - Event Sourcing et RGPD, incompatibles ?
 
XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?
XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?
XebiCon'18 - Deno, le nouveau NodeJS qui inverse la tendance ?
 
XebiCon'18 - Boostez vos modèles avec du Deep Learning distribué
XebiCon'18 - Boostez vos modèles avec du Deep Learning distribuéXebiCon'18 - Boostez vos modèles avec du Deep Learning distribué
XebiCon'18 - Boostez vos modèles avec du Deep Learning distribué
 
XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...
XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...
XebiCon'18 - Comment j'ai développé un jeu vidéo avec des outils de développe...
 
XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !
XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !
XebiCon'18 - Les utilisateurs finaux, les oubliés de nos produits !
 
XebiCon'18 - Comment fausser l'interprétation de vos résultats avec des dataviz
XebiCon'18 - Comment fausser l'interprétation de vos résultats avec des datavizXebiCon'18 - Comment fausser l'interprétation de vos résultats avec des dataviz
XebiCon'18 - Comment fausser l'interprétation de vos résultats avec des dataviz
 
XebiCon'18 - Le développeur dans la Pop Culture
XebiCon'18 - Le développeur dans la Pop Culture XebiCon'18 - Le développeur dans la Pop Culture
XebiCon'18 - Le développeur dans la Pop Culture
 
XebiCon'18 - Architecturer son application mobile pour la durabilité
XebiCon'18 - Architecturer son application mobile pour la durabilitéXebiCon'18 - Architecturer son application mobile pour la durabilité
XebiCon'18 - Architecturer son application mobile pour la durabilité
 
XebiCon'18 - Sécuriser son API avec OpenID Connect
XebiCon'18 - Sécuriser son API avec OpenID ConnectXebiCon'18 - Sécuriser son API avec OpenID Connect
XebiCon'18 - Sécuriser son API avec OpenID Connect
 
XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...
XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...
XebiCon'18 - Structuration du Temps et Dynamique de Groupes, Théorie organisa...
 
XebiCon'18 - Spark NLP, un an après
XebiCon'18 - Spark NLP, un an aprèsXebiCon'18 - Spark NLP, un an après
XebiCon'18 - Spark NLP, un an après
 
XebiCon'18 - La sécurité, douce illusion même en 2018
XebiCon'18 - La sécurité, douce illusion même en 2018XebiCon'18 - La sécurité, douce illusion même en 2018
XebiCon'18 - La sécurité, douce illusion même en 2018
 
XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...
XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...
XebiCon'18 - Utiliser Hyperledger Fabric pour la création d'une blockchain pr...
 
XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...
XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...
XebiCon'18 - Ce que l'histoire du métro Parisien m'a enseigné sur la création...
 

Dernier

Server-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineServer-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineUXDXConf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
Motion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyMotion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyUXDXConf
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfalexjohnson7307
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 

Dernier (20)

Server-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineServer-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at Priceline
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Motion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyMotion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in Technology
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdf
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 

Xebia Knowledge Exchange - Owasp Top Ten

  • 1. www.xebia.fr / blog.xebia.fr OWASP Security Top Ten OWASP top ten and Java protections Cyrille Le Clerc cleclerc@xebia.fr Tuesday, November 24, 2009
  • 2. OWASP Security Top Ten  This presentation is based on OWASP Top 10 For Java EE The Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applications http://www.owasp.org/index.php/Top_10_2007 2 Tuesday, November 24, 2009
  • 3. www.xebia.fr / blog.xebia.fr Cross Site Scripting (XSS) Tuesday, November 24, 2009
  • 4. Cross Site Scripting (XSS)  What ?  Subset of HTML injections  Data provided by malicious users are rendered in web pages and execute scripts  Goal ?  Hijack user session, steal user data, deface web site, etc  Sample  lastName: 4 Cyrille "><script ... /> Tuesday, November 24, 2009
  • 5. Cross Site Scripting (XSS) How to prevent it ?  Input Validation : JSR 303 Bean Validation 5 public class Person { @Size(min = 1, max = 256) private String lastName; @Size(max = 256) @Pattern(regexp = ".+@.+.[a-z]+") private String email; ... } @Controller("/person") public class PersonController { @RequestMapping(method=RequestMethod.POST) public void save(@Valid Person person) { // ... } } Bean C ontroller Tuesday, November 24, 2009
  • 6. Cross Site Scripting (XSS) How to prevent it ?  HTML output escaping  JSTL  Expression language danger DO NOT ESCAPE !!!  Spring MVC » Global escaping » Page level 6 <h2>Welcome <c:out value="${person.lastName}" /></h2> <web-app> <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> ... </web-app> JSP EL does N O T escape !!! <h2>Welcome ${person.lastName} NOT ESCAPED !!!</h2> <spring:htmlEscape defaultHtmlEscape="true" /> Tuesday, November 24, 2009
  • 7. Cross Site Scripting (XSS) How to prevent it ?  Use HTTP Only cookies  Cookies not accessible via javascript  Introduced with Servlet 3.0  Since Tomcat 6.0.20 for session cookies  Manual workaround 7 <Context useHttpOnly="true"> ... </Context> cookie.setHttpOnly(true); response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly"); N o w eb.xm l configuration for JSESSIO N ID Tuesday, November 24, 2009
  • 8. Cross Site Scripting (XSS) How to prevent it ?  Do not use blacklist validation but blacklist  Forbidden : <script>, <img>  Prefer wiki/forum white list style: [img], [url], [strong] 8 Tuesday, November 24, 2009
  • 9. www.xebia.fr / blog.xebia.fr Injection Flaws Tuesday, November 24, 2009
  • 10. Injection Flaws  What ?  Malicious data provided by user to read or modify sensitive data  Types of injection : SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more  Goal ?  Create, modify, delete, read data  Sample  lastName: 10 Cyrille "; INSERT INTO MONEY_TRANSFER ... Tuesday, November 24, 2009
  • 11. Injection Flaws How to prevent it ?  Input validation  XSD with regular expression, min and max values, etc  JSR 303 Bean Validation 11 Tuesday, November 24, 2009
  • 12. Injection Flaws How to prevent it ?  Use strongly typed parameterized query API  JDBC  JPA  HTTP  XML  XPath :-( 12 Element lastNameElt = doc.createElement("lastName"); lastNameElt.appendChild(doc.createTextNode(lastName)); GetMethod getMethod = new GetMethod("/findPerson"); getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)}); query.setParameter("lastName", lastName); preparedStatement.setString(1, lastName); Tuesday, November 24, 2009
  • 13. Injection Flaws How to prevent it ?  If not, use escaping libraries very cautiously !!!  HTML  Javascript  HTTP  XML  Don’t use simple escaping functions ! 13 "<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</lastName>"; "/findPerson?" + URLEncoder.encode(lastName, "UTF-8"); "lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;"; "<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>"; Caution ! StringUtils.replaceChars(lastName, "’", "’’"); Tuesday, November 24, 2009
  • 14. Injection Flaws How to prevent it ?  Don’t use dynamic queries at all ! 14 JPA 2 C riteria API if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'"; } Map<String, Object> parameters = new HashMap<String, Object>(); if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like :lastName "; parameters.put("lastName", lastName); } Query query = entityManager.createQuery(jpaQl); for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue()); } if (StringUtils.isNotEmpty(lastName)) { criteria.add(Restrictions.like("lastName", lastName)); } JPA 1 Q uery API Tuesday, November 24, 2009
  • 15. Injection Flaws How to prevent it ?  Enforce least privileges  Don’t be root  Limit database access to Data Manipulation Language  Limit file system access  Use firewalls to enter-from / go-to the Internet 15 Tuesday, November 24, 2009
  • 16. www.xebia.fr / blog.xebia.fr Malicious File Execution Tuesday, November 24, 2009
  • 17. Malicious File Execution  What ?  Malicious file or file path provided by users access files  Goal ?  Read or modify sensitive data  Remotely execute files (rootkits, etc)  Sample  pictureName: 17 ../../WEB-INF/web.xml Tuesday, November 24, 2009
  • 18. Malicious File Execution How to prevent it ?  Don’t build file path from user provided data  Don’t execute commands with user provided data  Use an indirection identifier to users  Use firewalls to prevent servers to connect to outside sites 18 String picturesFolder = servletContext.getRealPath("/pictures") ; String pictureName = request.getParameter("pictureName"); File picture = new File((picturesFolder + "/" + pictureName)); Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName")); Tuesday, November 24, 2009
  • 19. www.xebia.fr / blog.xebia.fr Insecure Direct Object Reference Tuesday, November 24, 2009
  • 20. Insecure Direct Object Reference  What ?  Transmit user forgeable identifiers without controlling them server side  Goal ?  Create, modify, delete, read other user’s data  Sample 20 <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ... </form> </body><html> ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id")); Tuesday, November 24, 2009
  • 21. Insecure Direct Object Reference How to prevent it ?  Input identifier validation  reject wildcards (“10%20”)  Add server side identifiers  Control access permissions  See Spring Security 21 Criteria criteria = session.createCriteria(ShoppingCart.class); criteria.add(Restrictions.like("id", request.getParameter("id"))); criteria.add(Restrictions.like("clientId", request.getRemoteUser())); ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult(); Tuesday, November 24, 2009
  • 22. Insecure Direct Object Reference How to prevent it ?  Use server side indirection with generated random  See org.owasp.esapi.AccessReferenceMap 22 String indirectId = request.getParameter("id"); String id = accessReferenceMap.getDirectReference(indirectId); ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id); String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId()); <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ... </form> </body><html> Tuesday, November 24, 2009
  • 23. www.xebia.fr / blog.xebia.fr Cross Site Request Forgery (CSRF) Tuesday, November 24, 2009
  • 24. Cross Site Request Forgery (CSRF)  What ?  Assume that the user is logged to another web site and send a malicious request  Ajax web sites are very exposed !  Goal ?  Perform operations without asking the user  Sample 24 http://mybank.com/transfer.do?amount=100000&recipientAccount=12345 Tuesday, November 24, 2009
  • 25. Cross Site Request Forgery (CSRF) How to prevent it ?  Ensure that no XSS vulnerability exists in your application  Use a random token in sensitive forms  Spring Web Flow and Struts 2 provide such random token mechanisms  Re-authenticate user for sensitive operations 25 <form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" /> <input name="amount" /> ... </form> Tuesday, November 24, 2009
  • 26. www.xebia.fr / blog.xebia.fr Information Leakage and Improper Exception Handling Tuesday, November 24, 2009
  • 27. Information Leakage and Improper Exception Handling  What ?  Sensitive code details given to hackers  Usually done raising exceptions  Goal ?  Discover code details to discover vulnerabilities 27 Tuesday, November 24, 2009
  • 28. Information Leakage and Improper Exception Handling  Sample 28 Tuesday, November 24, 2009
  • 29. Information Leakage and Improper Exception Handling How to prevent it ?  Avoid detailed error messages  Beware of development mode messages !  web.xml  Tomcat 29 <web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ... </web-app> <Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service> </Server> Tuesday, November 24, 2009
  • 30. Information Leakage and Improper Exception Handling How to prevent it ?  Don’t display stack traces in Soap Faults  Sanitize GUI error messages  Sample : “Invalid login or password” 30 Tuesday, November 24, 2009
  • 31. www.xebia.fr / blog.xebia.fr Broken Authentication and Session Management Tuesday, November 24, 2009
  • 32. Broken Authentication and Session Management  What ?  Web authentication and session handling have many tricks  Goal ?  Hijack user session 32 Tuesday, November 24, 2009
  • 33. Broken Authentication and Session Management How to prevent it ?  Log session initiation and sensitive data access  Remote Ip, time, login, sensitive data & operation accessed  Use a log4j dedicated non over-written output file  Use out of the box session and authentication mechanisms  Don’t create your own cookies  Look at Spring Security 33 #Audit log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender log4j.appender.audit.datePattern='-'yyyyMMdd log4j.appender.audit.file=audit.log log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n log4j.logger.com.mycompany.audit.Audit=INFO, audit log4j.additivity.com.mycompany.audit.Audit=false Tuesday, November 24, 2009
  • 34. Broken Authentication and Session Management How to prevent it ?  Use SSL and random token for authentication pages  including login page display  Regenerate a new session on successful authentication  Use Http Only session cookies, don’t use URL rewriting based session handling  Prevent brute force attacks using timeouts or locking password on authentication failures  Don’t store clear text password, consider SSHA 34 Tuesday, November 24, 2009
  • 35. Broken Authentication and Session Management How to prevent it ?  Use a timeout period  Remember Me cookies must be invalidated on password change (see Spring Security)  Beware not to write password in log files  Server generated passwords (lost password, etc) must be valid only once  Be able to distinguish SSL communications 35 Tuesday, November 24, 2009
  • 36. Broken Authentication and Session Management How to prevent it ?  For server to server communication, use remote ip control in addition to password validation 36 Tuesday, November 24, 2009
  • 37. www.xebia.fr / blog.xebia.fr Insecure Cryptographic Storage Tuesday, November 24, 2009
  • 38. Insecure Cryptographic Storage  What ?  Cryptography has many traps  Goal ?  Steal sensitive data 38 Tuesday, November 24, 2009
  • 39. Insecure Cryptographic Storage How to prevent it ?  Don’t invent custom cryptography solutions  Java offers approved algorithms for hashing, symmetric key and public key encryptions  Double hashing is a custom weak algorithm  Don’t use weak algorithms  MD5 / SHA1, etc are weak. Prefer SHA-256  Beware of private keys storage  Java doesn’t offer chroot mechanisms to limit private keys files access to root  Storing secrets on servers requires expertise 39 Tuesday, November 24, 2009
  • 40. www.xebia.fr / blog.xebia.fr Insecure Communications Tuesday, November 24, 2009
  • 41. Insecure Communications  What ?  Unsecure communications are easy to hack  Goal ?  Steal sensitive data, hijack user session 41 Tuesday, November 24, 2009
  • 42. Insecure Communications How to prevent it ?  Use SSL with the Servlet API 42 request.isSecure() <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app> Tuesday, November 24, 2009
  • 43. Insecure Communications How to prevent it ?  Use SSL with Spring Security 43 <beans ...> <sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http> </beans> Tuesday, November 24, 2009