Breaching a Web Application - Common Issues and Mitigating Steps

•Download as PPTX, PDF•

1 like•570 views

It seems like every day that another company's logo is plastered across the media and they have lost thousands, if not millions of customer records. This kind of data loss is damaging to a company's reputation and their customers have little control of their private information. Attackers often want this data for financial gain or to embarrass that company. There are several methods a malicious attacker will use to gain access to this data. Injection-based attacks leverage an application's lack of input validation to extract information and allow for unauthorized data access. In addition, the platform on which the application resides can be leveraged to gain unauthorized admin access and ultimately, data access. Both scenarios will be discussed and demonstrated in this talk. Finally, mitigating steps will be discussed at every level of the attack. The approach will be a defense in depth model that will proactively protect a web application. While there is no silver bullet against a determined attacker, these mitigations will make their lives more difficult.

Technology

Breaching a Web Application
Common Issues and Mitigating Steps

My Name is Jason
Frank Director of Veris Group’s Adaptive
Threat Division
Trainer for Black Hat
You can find me at @jasonjfrank
Hello!

Agenda
◉An Attacker’s View
◉Injection Attacks 101
◉Misconfigurations
◉Remediation and Mitigations

Testing Process
Discovery
ExploitationPost Exploitation
Pre-
Assessment
Activities
Post-
Assessment
Activities

http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png
DMZ
Protected
Enclave
Internet

https://www.w3.org/2005/03/Demos/insurance.png

◉Provides free documentation on offensive and
defensive application measures
◉Curated “OWASP Top Ten” Vulnerabilities
◉OWASP Web Testing Guide
◉Contains material for:
Web Applications
Mobile
Software Development
Tools

https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png

Injection Attacks
◉Occurs when unintended data is sent to an
application
◉Proper input validation / server-side validation
is not being performed
◉A dynamically built query can be altered to
execute arbitrary calls or requests
◉Common Types of Injection
SQL
XML
OS Command

https://itswadesh.files.wordpress.com/2011/11/sql-injection.jpg

Users
Posts
Comments
Themes
Wordpress
Server
WPDB
User
WP Table

Users
Posts
Comments
Themes
Wordpress
Server
DBA WP
Table
Names
SSNs
Salaries
Addresses
HR
App

“
Quotations are commonly printed
as a means of inspiration and to
invoke philosophical thoughts from
the reader.

SQL Injection
Tools
◉Burp Suite Pro Scanner(Identification)
◉SQLMap
◉SQLNinja

Misconfigurations
◉Serves as a catchup for many facets of the
implementation
◉Can occur at all levels of the technology stack
◉Identifies both technical and procedural
weaknesses

Operating System
Web Servers
Applications
Add-ons

http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

DMZ
Protected
Enclave
Internet
Internal
Systems

Tools
◉Nikto
◉Web Scanners
Acunetix
NTOSpider
Burp Suite Pro
◉Vulnerability Scanners
Nessus
NeXpose

OWASP SAMM
◉Software Assurance Maturity Model
◉Integrating Assessment and Review Activities
throughout your SDLC
◉Based on your organization’s security drivers
◉https://www.owasp.org/index.php/Category:Softw
are_Assurance_Maturity_Model

Static Reviews
Source code reviews
that are incorporated
throughout the
development cycle.
A Note About
Testing Types
Dynamic Testing
Assessment of the final
solution in an
operational context.

SQL Injection
Prevention
◉OWASP has language specific recommendations
◉Parameterized Queries
◉Input Validation – White Listing
◉Escaping User Input
◉https://www.owasp.org/index.php/SQL_Injection_
Prevention_Cheat_Sheet#Defense_Option_1:_Pr
epared_Statements_.28Parameterized_Queries.
29

Misconfiguration
Prevention
◉Review of all technologies in the stack
◉Implement available hardening guides
◉Have your solution dynamically tested
periodically

Any questions ?
You can find me at
◉ @jasonjfrank
◉ Slides posted at:
http://www.slideshare.net/jasonjfrank
Thanks!

Similar to Breaching a Web Application - Common Issues and Mitigating Steps

Penetration testing dont just leave it to chance

Dr. Anish Cheriyan (PhD)

Title: Why Script Kiddies Succeed Event: 12th Annual Central Ohio InfoSec Summit Date: May 23, 2019 Speaker: Matt Scheurer Abstract: Some offensive security tools have become so user friendly and simple that the barrier to compromising vulnerable systems has become trivial. We will use Kali Linux, SPARTA, OWASP ZAP, and Armitage to demonstrate just how easy exploiting some vulnerabilities has become. The takeaways will be on vulnerability scanning systems in your environment and Proof-of-Concept those findings to help improve your overall security posture. Eliminating the low hanging fruit of vulnerabilities in an environment will help harden those systems against low-skill attackers and receive more mature and meaningful findings from penetration tests. Bio: Some offensive security tools have become so user friendly and simple that the barrier to compromising vulnerable systems has become trivial. We will use Kali Linux, SPARTA, OWASP ZAP, and Armitage to demonstrate just how easy exploiting some vulnerabilities has become. The takeaways will be on vulnerability scanning systems in your environment and Proof-of-Concept those findings to help improve your overall security posture. Eliminating the low hanging fruit of vulnerabilities in an environment will help harden those systems against low-skill attackers and receive more mature and meaningful findings from penetration tests.

Central Ohio InfoSec Summit: Why Script Kiddies Succeed

ThreatReel Podcast

Reversing & malware analysis training part 1 lab setup guide

Abdulrahman Bassam

Ethical Hacking Conference 2015- Building Secure Products -a perspective

Dr. Anish Cheriyan (PhD)

OctaviusWaltonResume

Octavius Walton

Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling. Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment. One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including: Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints. Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs. Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure. Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible. Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is? Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.

Java Insecurity: How to Deal with the Constant Vulnerabilities

Lumension

Humla workshop on Android Security Testing by Sai Sathya narayan Venkatraman, MWR Infosecurity This workshop gives you hands on experience in identifying and exploiting the latest categories of vulnerabilities against modern Android applications based on real world examples. You’ll use the latest testing tools to assess, unravel and exploit applications, and learn about vulnerability classes unique to Android. You will learn:- -To analyze applications from an attacker’s perspective. - Basic understanding of the latest attack vectors against Android applications - To perform black box security assessments against real world applications using the latest and widely used tools more info here http://www.meetup.com/Null-Singapore-The-Open-Security-Community/events/229931768/

Humla workshop on Android Security Testing - null Singapore

n|u - The Open Security Community

Raging Ransomware Roadshow May

Sophos Benelux

Security in the Software Development Life Cycle (SDLC)

Frances Coronel

Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...

Chris Gates

As you've likely heard, Meltdown and Spectre are vulnerabilities that exist in Intel CPUs built since 1995. Hackers can exploit Meltdown and Spectre to get hold of information stored in the memory of other running programs. This might include passwords stored in a password manager or browser, photos, emails, instant messages and even business-critical documents. Join us for a technical webcast to learn more about these threats, and how the security controls in AlienVault Unified Security Management (USM) can help you mitigate these threats. You'll learn: What the AlienVault Labs security research team has learned about these threats How to scan your environment (cloud and on-premises) for the vulnerability with AlienVault USM Anywhere How built-in intrusion detection capabilities of USM Anywhere can detect exploits of these vulnerabilities How the incident response capabilities in USM Anywhere can help you mitigate attacks Watch the On-Demand Webcast here: https://www.alienvault.com/resource-center/webcasts/meltdown-and-spectre-how-to-detect-the-vulnerabilities-and-exploits?utm_medium=Social&utm_source=SlideShare&utm_content=meltdown-spectre-webcast Hosted By Sacha Dawes Principal Product Marketing Manager Sacha joined AlienVault in Feb 2017, where he is responsible for the technical marketing of the AlienVault Unified Security Management (USM) family of solutions. He brings multiple years of experience from product management, product marketing and business management roles at Microsoft, NetIQ, Gemalto and Schlumberger where he has delivered both SaaS-delivered and boxed-product solutions that address the IT security, identity and management space. Originally from the UK, Sacha is based in Austin, TX.

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits

AlienVault

smpef

rsharmam

To address the inadequacy of traditional anti-virus solutions, white-listing and secure containerization approaches have both gained traction in the enterprise. Both approaches have the overarching goal of preventing a successful breach at the endpoint, but each works differently and also focus on different parts of the cyber kill chain. Invincea, a secure containerization solution, inoculates high-risk and Internet-facing applications against attack by running them in secure virtual containers, which have restricted access to the underlying host OS. This effectively removes the most common means of delivering the infection (see figure below). Any successful exploits of targeted applications (such as IE, Java, Flash, etc.), including by 0-day exploits, are kept safely in quarantine where additional forensic details may be uncovered. Whitelisting attempts to prevent infections by allowing only certain known executables to run. This means whitelisting solutions will not see initial exploits; rather, whitelisting focuses on the next step beyond the exploit where many attacks then attempt to launch 2<sup>nd</sup> stage (malicious) executables with additional goals such as privilege escalation, lateral movement, or data exfiltration. In other words, whitelisting solutions do not have visibility into exploits of existing programs and for memory-resident malware. In addition, whitelisting solutions that prevent unknown software from running will flag legitimate software (such as patches) that are not updated with the whitelist.

Tech Throwdown: Secure Containerization vs Whitelisting

Invincea, Inc.

An Introduction to Secure Application Development

Christopher Frenz

If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk. This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later. This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them. There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.

DevSecOps at Agile 2019

Elizabeth Ayer

FinalProjectPresentation.ppt

ssuserc7552c

Threat Modeling workshop by Robert Hurlbut

DevSecCon

Reversing & malware analysis training part 1 lab setup guide

securityxploded

Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs. (Source : RSA Conference USA 2017)

Threat modeling demystified

Priyanka Aash

Attack Vectors in Biometric Recognition Systems

Clare Nelson, CISSP, CIPP-E

Similar to Breaching a Web Application - Common Issues and Mitigating Steps (20)

Penetration testing dont just leave it to chance

Central Ohio InfoSec Summit: Why Script Kiddies Succeed

Reversing & malware analysis training part 1 lab setup guide

Ethical Hacking Conference 2015- Building Secure Products -a perspective

OctaviusWaltonResume

Java Insecurity: How to Deal with the Constant Vulnerabilities

Humla workshop on Android Security Testing - null Singapore

Raging Ransomware Roadshow May

Security in the Software Development Life Cycle (SDLC)

Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits

smpef

Tech Throwdown: Secure Containerization vs Whitelisting

An Introduction to Secure Application Development

DevSecOps at Agile 2019

FinalProjectPresentation.ppt

Threat Modeling workshop by Robert Hurlbut

Reversing & malware analysis training part 1 lab setup guide

Threat modeling demystified

Attack Vectors in Biometric Recognition Systems

Recently uploaded

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

A Domino Admins Adventures (Engage 2024)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Artificial Intelligence: Facts and Myths

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

How to Troubleshoot Apps for the Modern Connected Worker

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Powerful Google developer tools for immediate impact! (2023-24 C)

GenAI Risks & Security Meetup 01052024.pdf

🐬 The future of MySQL is Postgres 🐘

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Apidays New York 2024 - The value of a flexible API Management solution for O...

Scaling API-first – The story of a global engineering organization

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

A Year of the Servo Reboot: Where Are We Now?

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Breaching a Web Application - Common Issues and Mitigating Steps

1. Breaching a Web Application Common Issues and Mitigating Steps

2. My Name is Jason Frank Director of Veris Group’s Adaptive Threat Division Trainer for Black Hat You can find me at @jasonjfrank Hello!

3. Agenda ◉An Attacker’s View ◉Injection Attacks 101 ◉Misconfigurations ◉Remediation and Mitigations

4. An Attacker’s View1

5. Testing Process Discovery ExploitationPost Exploitation Pre- Assessment Activities Post- Assessment Activities

6. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

7. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

8. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png DMZ Protected Enclave Internet

9. https://www.w3.org/2005/03/Demos/insurance.png

10. https://www.w3.org/2005/03/Demos/insurance.png

11. ◉Provides free documentation on offensive and defensive application measures ◉Curated “OWASP Top Ten” Vulnerabilities ◉OWASP Web Testing Guide ◉Contains material for: Web Applications Mobile Software Development Tools

12. https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png

13. https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png

14. Injection Attacks 1012

15. Injection Attacks ◉Occurs when unintended data is sent to an application ◉Proper input validation / server-side validation is not being performed ◉A dynamically built query can be altered to execute arbitrary calls or requests ◉Common Types of Injection SQL XML OS Command

16. https://itswadesh.files.wordpress.com/2011/11/sql-injection.jpg

17. Users Posts Comments Themes Wordpress Server WPDB User WP Table

18. Users Posts Comments Themes Wordpress Server DBA WP Table Names SSNs Salaries Addresses HR App

19. “ Quotations are commonly printed as a means of inspiration and to invoke philosophical thoughts from the reader.

20. SQL Injection Tools ◉Burp Suite Pro Scanner(Identification) ◉SQLMap ◉SQLNinja

21. Misconfigurations3

22. Misconfigurations ◉Serves as a catchup for many facets of the implementation ◉Can occur at all levels of the technology stack ◉Identifies both technical and procedural weaknesses

23. Operating System Web Servers Applications Add-ons

24. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

25. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

26. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

27. DMZ Protected Enclave Internet Internal Systems

28. DMZ Protected Enclave Internet Internal Systems

29. DMZ Protected Enclave Internet Internal Systems

30. DMZ Protected Enclave Internet Internal Systems

31. DMZ Protected Enclave Internet Internal Systems

32. DMZ Protected Enclave Internet Internal Systems

33. Tools ◉Nikto ◉Web Scanners Acunetix NTOSpider Burp Suite Pro ◉Vulnerability Scanners Nessus NeXpose

34. Remediation and Mitigation4

35. OWASP SAMM ◉Software Assurance Maturity Model ◉Integrating Assessment and Review Activities throughout your SDLC ◉Based on your organization’s security drivers ◉https://www.owasp.org/index.php/Category:Softw are_Assurance_Maturity_Model

36. Static Reviews Source code reviews that are incorporated throughout the development cycle. A Note About Testing Types Dynamic Testing Assessment of the final solution in an operational context.

37. SQL Injection Prevention ◉OWASP has language specific recommendations ◉Parameterized Queries ◉Input Validation – White Listing ◉Escaping User Input ◉https://www.owasp.org/index.php/SQL_Injection_ Prevention_Cheat_Sheet#Defense_Option_1:_Pr epared_Statements_.28Parameterized_Queries. 29

38. Misconfiguration Prevention ◉Review of all technologies in the stack ◉Implement available hardening guides ◉Have your solution dynamically tested periodically

39. Any questions ? You can find me at ◉ @jasonjfrank ◉ Slides posted at: http://www.slideshare.net/jasonjfrank Thanks!

Breaching a Web Application - Common Issues and Mitigating Steps

Recommended

Recommended

More Related Content

Similar to Breaching a Web Application - Common Issues and Mitigating Steps

Similar to Breaching a Web Application - Common Issues and Mitigating Steps (20)

Recently uploaded

Recently uploaded (20)

Breaching a Web Application - Common Issues and Mitigating Steps