SlideShare una empresa de Scribd logo

Problems with parameters b sides-msp

Mike Saunders
Mike Saunders

Problems With Parameters - A high-level overview of common vulnerabilities identified in web applications, techniques to mitigate these vulnerabilities, and thoughts on incorporating secure webapp development practices into your organization's development culture.

Tecnología
1 de 39
Descargar para leer sin conexión
Mike Saunders Principal—Hardwater Information Security
 In IT for about 20 years, full-time for 16  *NIX/Windows/Net admin, security engineer, architect, and developer in previous life  Currently performing pen tests full time  CISSP, GWAPT, GPEN, GCIH 2
 Seeing the same issues over and over in internally developed, outsourced dev, business partner/vendor and big software vendor apps  Some success with internal teams in improving app security 3
 The Web is a target-rich environment ◦ “[N]early half of all reported vulnerabilities exist in Web applications” (TippingPoint DVLabs, 2010) 4
 In the past, perimeters were porous at best  Hardened perimeters today ◦ Firewalls are better controlled now ◦ Better patching programs ◦ Better server hardening (STIGS, CIS, etc.) 5
 We open the door to web apps to enable business! 6 http://www.pressofatlanticcity.com
 52% of all breaches were the result of hacking ◦ 22% of all hacking attacks were against web apps (Verizon, 2012)  65% of organizations surveyed experienced SQLi attack in the past 12 months (Ponemon, 2014)  SQL Injection and Cross-Site Scripting (XSS) are the most common attacks 7
 Web apps receive input through parameters  Malicious input can result in server-side injection attacks (SQLi, command injection, Xpath injection, ...) or client-side attacks (XSS, CSRF, ...) 8
 2011 SANS/MITRE Top 25 ◦ Three of top four are injection vulnerabilities 1) SQLi 2) Command Injection 4) XSS 12) CSRF—leverages XSS http://www.sans.org/top25-software-errors/ 9
 Occurs when a web app uses input from a user within the output it generates, without validating or encoding it (OWASP)  Client browser interprets server response as a script instead of rendering ◦ Reflected XSS through a malicious URL ◦ Persistent XSS—forum post or profile; injected into content database ◦ DOM-based 10
 Javascript, VBScript, Silverlight  “Deface” websites  Steal session cookies  Install keyloggers/trojans/malware  Take screenshots  Exfiltrate data  CSRF  SHELLS! 11
12 Vulnerable Parameter: trkid Attack string: <script>alert(document.cookie)</script> Vulnerability was responsibly disclosed to Netflix and has been remediated.
 Attacker sends input which is interpreted as a DB command 13
 SHELLS!  Stored XSS to attack site visitors  Steal database contents ◦ Usernames and passwords ◦ Account info ◦ CC#  Alter/delete DB contents 14
 Time-based blind SQLi = database dumped! 15
 Attacker input results in execution of commands in web server OS  Input is included as part of shell command executed by web app 16
 SHELLS!  Install backdoors  Exfiltrate data  Pivot to other systems 17
 Command injection: `ping –c 20 127.0.0.1` ◦ Input passed to external program, interpreted as shell command ◦ Additional command injection mails password file to attacker 18
 80% of web apps vulnerable to XSS  More than 45,000 reported XSS @ xssed.com  26% of 2013 breaches caused by SQLi (Trustwave, 2013) 19
 2014—Tweetdeck retweet XSS ◦ More than 38,000 retweets in an hour  Hold Security announces 1.2 billion records stolen from 420,000 sites via SQLi (Hold Security, 2014) 20
“If builders built buildings the way programmers built programs, the first woodpecker to come along would destroy civilization.” - Gerald Weinberg 21
22 http://www.panoramio.com/photo/10984427
23 http://www.pinterest.com/pin/345299496399829978/
 Don’t bolt on security as an afterthought  Integrate security into development process  Repairs = much higher costs  15× more expensive to repair at testing phase  Up to 100× more expensive after deployment (Jones, 1996) 24
(IDC, 2011) 25
 Peer code reviews  Involve developers in testing code before release ◦ OWASP Testing Guide ◦ OWASP XSS Filter Evasion Cheat Sheet ◦ Testing for SQL Injection (OWASP-DV-005) ◦ Code analysis tools 26
 Use available tools to your advantage ◦ BurpPro—Almost free ◦ OWASP ZAP Proxy ◦ OWASP Xenotix ◦ SoapUI test suite ◦ SANS SWAT Checklist 27
28 http://i9.photobucket.com/albums/a81/kos102/2009/Other/tin-foil-cat.jpg
http://demonarex.files.wordpress.com/2011/03/house-everybody-lies2.jpg 29
 Never trust input from client! ◦ Even if it’s provided automatically by browser  Validation is key ◦ Whitelist – define what’s good, drop everything else  Ex: SSN / Phone / CC# should only be digits  See OWASP XSS & SQLi Prevention Cheat Sheets  Always validate server-side ◦ Client side is easily bypassed 30
 Escape untrusted input ◦ If you must accept untrusted input, make sure you render it inert by escaping ( ‘ -> ‘ )  Encode untrusted input before returning to client ◦ <script>alert(1)</script> becomes &lt;script&gt;alert(1)&lt;/script&gt; 31
 Set cookies using HttpOnly  Content-Security-Policy header ◦ https://www.owasp.org/index.php/Content_Securit y_Policy 32
 Again, never trust input from client, always validate  Always escape or encode dangerous characters if required to process “ - ‘ -- ; ”  Use prepared statements whenever possible  Escape everything!  OWASP SQLi Prevention Cheat Sheet 33
 .NET platform ◦ Microsoft Anti-Cross Site Scripting Library  ASP.NET Framework ◦ ValidateRequest()  Java ◦ OWASP ESAPI ◦ OWASP Java Encoder Project  OWASP Encoding Project ◦ Multi-platform: Java, .NET, PHP, Perl, Python, Javascript, ASP, Ruby 34
 Secure AppDev starts before code is written  Grow secure developers—peer reviews, cross-training, mentoring  Be Paranoid! Never trust input ◦ Validate, escape, encode  Use available security resources (OWASP, SANS, etc.) 35
 SANS Securing Web Application Technologies Checklist ◦ http://www.securingthehuman.org/developer/swat  SANS/MITRE Top 25 Software Errors ◦ http://www.sans.org/top25-software-errors/  OWASP XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_ Cheat_Sheet  OWASP DOM-based XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sh eet  OWASP SQLi Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet  OWASP XSS Filter Evasion Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet  OWASP Cheat Sheets ◦ https://www.owasp.org/index.php/Cheat_Sheets 36
 Google Application Security Library – XSS ◦ http://www.google.com/about/appsecurity/learning/xss/  Testing for SQL Injection (OWASP-DV-005) ◦ https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)  Microsoft Anti-Cross Site Scripting Library ◦ http://wpl.codeplex.com/  OWASP Enterprise Security API ◦ https://www.owasp.org/index.php/ESAPI  OWASP Encoding Project ◦ https://www.owasp.org/index.php/Category:OWASP_Encoding_Project  Ruby on Rails Security Basics ◦ https://www.netsparker.com/blog/web-security/ruby-on-rails-security-basics/  Developing Secure Web Application – Cross-Site Scripting ◦ http://www.slideshare.net/codecampiasi/developing-secure-web-application- crosssite-scripting-xss  XSSing Your Way to Shell ◦ https://speakerdeck.com/varbaek/xssing-your-way-to-shell 37
 Greenberg, A. (2013, July 31). SQL injection attacks still enable breaches, all these years later. SCMagazine. Retrieved from http://www.scmagazine.com/sql-injection-attacks-still-enable-breaches-all-these-years- later/article/305433/  Hold Security (2014, August 5). You Have Been Hacked Retrieved from http://www.holdsecurity.com/news/cybervor-breach/  IDC. (2011). The Case for Building in Web Application Security from the Start. [White paper]. Retrieved from http://resources.idgenterprise.com/original/AST- 0048510_The_case_for_building_in_web_application_security_from_the_start.PDF  Jones, C. (1996). Applied Software Measurement: Assuring Productivity and Quality. Mcgraw-Hill  Ponemon Institute. (2014) The SQL Injection Threat Study. Retrieved from: http://www.dbnetworks.com/contact/PonemonSQLInjectionThreatSurveyDownload.htm  TippingPoint DVLabs. (2011) 2010 Full Year Top Cyber Security Risks Report. Retrieved from http://dvlabs.tippingpoint.com/img/FullYear2010%20Risk%20Report.pdf  Trustwave. (2013) 2013 Global Security Report. Retrieved from http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf  Verizon. (2013) 2012 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012- ebk_en_xg.pdf 38
 msaunders.sec@gmail.com  @hardwaterhacker  Blog: http://hardwatersec.blogspot.com/ 39

Recomendados

[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in Prague
Alexander Leonov
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 

Recomendados

[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in Prague
Alexander Leonov
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
POSSCON
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
Alexander Leonov
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
CiNPA Security SIG
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
Sander Temme
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Kirill Ermakov
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
Martin Cabrera
 
Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)
Martin Cabrera
 

Más contenido relacionado

La actualidad más candente

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
CiNPA Security SIG
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 

La actualidad más candente (20)

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 

Destacado

Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
owaspindy
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
Intro C# Book
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
Markus Tacker
 

Destacado (20)

Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasks
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for Beginners
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheet
 
Rework cheat sheet
Rework cheat sheetRework cheat sheet
Rework cheat sheet
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat Sheet
 
Scrum Cheat Sheet
Scrum Cheat SheetScrum Cheat Sheet
Scrum Cheat Sheet
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03
 
Composting
CompostingComposting
Composting
 

Similar a Problems with parameters b sides-msp

OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 

Similar a Problems with parameters b sides-msp (20)

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap it
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 

Más de Mike Saunders

SDR101-presentation-distro
SDR101-presentation-distroSDR101-presentation-distro
SDR101-presentation-distro
Mike Saunders
 
InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITS
Mike Saunders
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
Mike Saunders
 
DetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksDetectingSpearPhishingAttacks
DetectingSpearPhishingAttacks
Mike Saunders
 
Is Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationIs Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentation
Mike Saunders
 

Más de Mike Saunders (12)

I Want My EIP - Buffer Overflow 101
I Want My EIP - Buffer Overflow 101I Want My EIP - Buffer Overflow 101
I Want My EIP - Buffer Overflow 101
 
BSidesMSP 2017 - SDR101 workshop
BSidesMSP 2017 - SDR101 workshopBSidesMSP 2017 - SDR101 workshop
BSidesMSP 2017 - SDR101 workshop
 
SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017
 
SDR101-presentation-distro
SDR101-presentation-distroSDR101-presentation-distro
SDR101-presentation-distro
 
InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITS
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
DetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksDetectingSpearPhishingAttacks
DetectingSpearPhishingAttacks
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distribution
 
Is Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationIs Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentation
 
You will be breached
You will be breachedYou will be breached
You will be breached
 

Último

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Problems with parameters b sides-msp

  • 2.  In IT for about 20 years, full-time for 16  *NIX/Windows/Net admin, security engineer, architect, and developer in previous life  Currently performing pen tests full time  CISSP, GWAPT, GPEN, GCIH 2
  • 3.  Seeing the same issues over and over in internally developed, outsourced dev, business partner/vendor and big software vendor apps  Some success with internal teams in improving app security 3
  • 4.  The Web is a target-rich environment ◦ “[N]early half of all reported vulnerabilities exist in Web applications” (TippingPoint DVLabs, 2010) 4
  • 5.  In the past, perimeters were porous at best  Hardened perimeters today ◦ Firewalls are better controlled now ◦ Better patching programs ◦ Better server hardening (STIGS, CIS, etc.) 5
  • 6.  We open the door to web apps to enable business! 6 http://www.pressofatlanticcity.com
  • 7.  52% of all breaches were the result of hacking ◦ 22% of all hacking attacks were against web apps (Verizon, 2012)  65% of organizations surveyed experienced SQLi attack in the past 12 months (Ponemon, 2014)  SQL Injection and Cross-Site Scripting (XSS) are the most common attacks 7
  • 8.  Web apps receive input through parameters  Malicious input can result in server-side injection attacks (SQLi, command injection, Xpath injection, ...) or client-side attacks (XSS, CSRF, ...) 8
  • 9.  2011 SANS/MITRE Top 25 ◦ Three of top four are injection vulnerabilities 1) SQLi 2) Command Injection 4) XSS 12) CSRF—leverages XSS http://www.sans.org/top25-software-errors/ 9
  • 10.  Occurs when a web app uses input from a user within the output it generates, without validating or encoding it (OWASP)  Client browser interprets server response as a script instead of rendering ◦ Reflected XSS through a malicious URL ◦ Persistent XSS—forum post or profile; injected into content database ◦ DOM-based 10
  • 11.  Javascript, VBScript, Silverlight  “Deface” websites  Steal session cookies  Install keyloggers/trojans/malware  Take screenshots  Exfiltrate data  CSRF  SHELLS! 11
  • 12. 12 Vulnerable Parameter: trkid Attack string: <script>alert(document.cookie)</script> Vulnerability was responsibly disclosed to Netflix and has been remediated.
  • 13.  Attacker sends input which is interpreted as a DB command 13
  • 14.  SHELLS!  Stored XSS to attack site visitors  Steal database contents ◦ Usernames and passwords ◦ Account info ◦ CC#  Alter/delete DB contents 14
  • 15.  Time-based blind SQLi = database dumped! 15
  • 16.  Attacker input results in execution of commands in web server OS  Input is included as part of shell command executed by web app 16
  • 17.  SHELLS!  Install backdoors  Exfiltrate data  Pivot to other systems 17
  • 18.  Command injection: `ping –c 20 127.0.0.1` ◦ Input passed to external program, interpreted as shell command ◦ Additional command injection mails password file to attacker 18
  • 19.  80% of web apps vulnerable to XSS  More than 45,000 reported XSS @ xssed.com  26% of 2013 breaches caused by SQLi (Trustwave, 2013) 19
  • 20.  2014—Tweetdeck retweet XSS ◦ More than 38,000 retweets in an hour  Hold Security announces 1.2 billion records stolen from 420,000 sites via SQLi (Hold Security, 2014) 20
  • 21. “If builders built buildings the way programmers built programs, the first woodpecker to come along would destroy civilization.” - Gerald Weinberg 21
  • 24.  Don’t bolt on security as an afterthought  Integrate security into development process  Repairs = much higher costs  15× more expensive to repair at testing phase  Up to 100× more expensive after deployment (Jones, 1996) 24
  • 26.  Peer code reviews  Involve developers in testing code before release ◦ OWASP Testing Guide ◦ OWASP XSS Filter Evasion Cheat Sheet ◦ Testing for SQL Injection (OWASP-DV-005) ◦ Code analysis tools 26
  • 27.  Use available tools to your advantage ◦ BurpPro—Almost free ◦ OWASP ZAP Proxy ◦ OWASP Xenotix ◦ SoapUI test suite ◦ SANS SWAT Checklist 27
  • 30.  Never trust input from client! ◦ Even if it’s provided automatically by browser  Validation is key ◦ Whitelist – define what’s good, drop everything else  Ex: SSN / Phone / CC# should only be digits  See OWASP XSS & SQLi Prevention Cheat Sheets  Always validate server-side ◦ Client side is easily bypassed 30
  • 31.  Escape untrusted input ◦ If you must accept untrusted input, make sure you render it inert by escaping ( ‘ -> ‘ )  Encode untrusted input before returning to client ◦ <script>alert(1)</script> becomes &lt;script&gt;alert(1)&lt;/script&gt; 31
  • 32.  Set cookies using HttpOnly  Content-Security-Policy header ◦ https://www.owasp.org/index.php/Content_Securit y_Policy 32
  • 33.  Again, never trust input from client, always validate  Always escape or encode dangerous characters if required to process “ - ‘ -- ; ”  Use prepared statements whenever possible  Escape everything!  OWASP SQLi Prevention Cheat Sheet 33
  • 34.  .NET platform ◦ Microsoft Anti-Cross Site Scripting Library  ASP.NET Framework ◦ ValidateRequest()  Java ◦ OWASP ESAPI ◦ OWASP Java Encoder Project  OWASP Encoding Project ◦ Multi-platform: Java, .NET, PHP, Perl, Python, Javascript, ASP, Ruby 34
  • 35.  Secure AppDev starts before code is written  Grow secure developers—peer reviews, cross-training, mentoring  Be Paranoid! Never trust input ◦ Validate, escape, encode  Use available security resources (OWASP, SANS, etc.) 35
  • 36.  SANS Securing Web Application Technologies Checklist ◦ http://www.securingthehuman.org/developer/swat  SANS/MITRE Top 25 Software Errors ◦ http://www.sans.org/top25-software-errors/  OWASP XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_ Cheat_Sheet  OWASP DOM-based XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sh eet  OWASP SQLi Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet  OWASP XSS Filter Evasion Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet  OWASP Cheat Sheets ◦ https://www.owasp.org/index.php/Cheat_Sheets 36
  • 37.  Google Application Security Library – XSS ◦ http://www.google.com/about/appsecurity/learning/xss/  Testing for SQL Injection (OWASP-DV-005) ◦ https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)  Microsoft Anti-Cross Site Scripting Library ◦ http://wpl.codeplex.com/  OWASP Enterprise Security API ◦ https://www.owasp.org/index.php/ESAPI  OWASP Encoding Project ◦ https://www.owasp.org/index.php/Category:OWASP_Encoding_Project  Ruby on Rails Security Basics ◦ https://www.netsparker.com/blog/web-security/ruby-on-rails-security-basics/  Developing Secure Web Application – Cross-Site Scripting ◦ http://www.slideshare.net/codecampiasi/developing-secure-web-application- crosssite-scripting-xss  XSSing Your Way to Shell ◦ https://speakerdeck.com/varbaek/xssing-your-way-to-shell 37
  • 38.  Greenberg, A. (2013, July 31). SQL injection attacks still enable breaches, all these years later. SCMagazine. Retrieved from http://www.scmagazine.com/sql-injection-attacks-still-enable-breaches-all-these-years- later/article/305433/  Hold Security (2014, August 5). You Have Been Hacked Retrieved from http://www.holdsecurity.com/news/cybervor-breach/  IDC. (2011). The Case for Building in Web Application Security from the Start. [White paper]. Retrieved from http://resources.idgenterprise.com/original/AST- 0048510_The_case_for_building_in_web_application_security_from_the_start.PDF  Jones, C. (1996). Applied Software Measurement: Assuring Productivity and Quality. Mcgraw-Hill  Ponemon Institute. (2014) The SQL Injection Threat Study. Retrieved from: http://www.dbnetworks.com/contact/PonemonSQLInjectionThreatSurveyDownload.htm  TippingPoint DVLabs. (2011) 2010 Full Year Top Cyber Security Risks Report. Retrieved from http://dvlabs.tippingpoint.com/img/FullYear2010%20Risk%20Report.pdf  Trustwave. (2013) 2013 Global Security Report. Retrieved from http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf  Verizon. (2013) 2012 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012- ebk_en_xg.pdf 38
  • 39.  msaunders.sec@gmail.com  @hardwaterhacker  Blog: http://hardwatersec.blogspot.com/ 39