SlideShare una empresa de Scribd logo

Web Application Scanning 101

Sasha Nunke
Sasha Nunke

This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.

Tecnología
1 de 24
Descargar para leer sin conexión
Web Security 101 An overview of some common application exploits Mike Shema Security Research Engineer, Qualys Inc.
Web Security Web application (in)security continues to grow Web-related vulnerabilities pop up on Bugtraq daily. (http://www.securityfocus.com/bid/) Web-related attacks are large and expensive to investigate, react, and resolve. Web security became a requirement of PCI in 2008. XSS remains a significant problem Original CERT advisory February 2000 (http://www.cert.org/advisories/CA-2000-02.html) USENET references to “malicious html” and “malicious javascript” as far back as 1996 comp.security.unix post on March 1996: http://tinyurl.com/2s593m Entertaining discussion of JavaScript: http://tinyurl.com/2g2476 2
Web Security Reported web server vulnerabilities have decreased IIS 6.0 released April 2003 MS06-034 (specially-crafted ASP file could cause buffer overflow) No resurgence of Code Red or Nimda style vulnerabilities Apache 2.0.45 (March 2003) to Apache 2.0.63 (January 2008) 40 security bugs according to changelog 24 specific to core or mod_ssl Apache 2.2.0 (November 2005) to Apache 2.2.8 (January 2008) 13 security bugs according to changelog Active Sites According to Netcraft 2 specific to core or mod_ssl 35,000,000 30,000,000 And the number of servers continues 25,000,000 20,000,000 to grow significantly Apache 15,000,000 IIS 10,000,000 5,000,000 0 May-03 Apr-08 3
Leave the Buffer Overflows at Home Exploiting most web vulnerabilities has a very low barrier to entry. Low sophistication attacks can still lead to high impact exploits More codified lists defined in the OWASP TOP 10 and the WASC Threat Classification 4
Threats Evolve Financial motivation Infect rather than deface Increased potential for targeted attacks Exploit the trust between the server and browser 5
Attacks Adapt Bring the exploit to victim rather than bring the victim to the exploit. “Web 2.0”: More business logic and capabilities moved to the web browser. Social networking as an enabler for non-technical attacks. Insert malicious content into a web page Target the web browser 6
Persistent Browser Problems Assumption of trust in HTML and JavaScript (no “signed” content) No separation of UI generation and data manipulation Few restrictions on pulling together inter- domain content, no “trusted peers” for a domain. 7
What do these attacks look like? Review some examples to see where vulnerabilities exist and how they are exploited. 8
The Usual Suspects SQL Injection One of the easiest vulnerabilities to prevent. Occurs when users can alter the actual query. For example, SQL queries made with strong concatenation or even raw SQL queries in a URL parameter. 9
Recent Examples Hacking & Happiness One password to rule them all Poor separation of duties Lack of rate limiting http://tinyurl.com/9f7ata 10
Recent Examples Session Fixation & Stock Inflation Buy stocks using someone else’s account. 11
Recent Examples Victim receives an e-mail with a legitimate link to the trading site: https://site/login.cgi?sid=65531 Session ID = 655321 x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server a.b.101.92 --> /login.cgi?sid=655321 Authenticated Redirect to /welcome.cgi?sid=655321 <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Authenticated Trade executed <-- server 12
Recent Examples Inspection & Infiltration Abusing server-side scripts http://tinyurl.com/d6ymuc 13
Recent Examples ../lists/admin/index.php?_SERVER[ConfigFile]=../../php.ini Viewing arbitrary files on the web server for sensitive content A confluence of programming error, misconfiguration, and lack of host hardening 14
Wildly Different Vulnerabilities Programming errors Session fixation Cross-site request forgery Lack of input validation Insecure environment 15
Where Are The Worms? Attacks like Nimda, Code Red or SQL Slammer haven’t been repeated in a while Exploit preferences seem to fall to the lowest common denominator 16
Manual & Automated Testing Complementary approaches What matters most for your environment? Cost Scalability Repeatability Comprehensiveness Accuracy What to expect from each approach? 17
Automated Testing Ideal for large-scale or repetitive scans Primarily focuses on syntax problems, misconfigurations, and known issues Several challenges to determining a good scanner Crawling & site coverage Authentication & session management Comprehensiveness & accuracy 18
Manual Testing Ideal for in-depth security review Biggest advantage over automated testing is the ability to understand the application’s business logic Typically relies on some form of automated testing 19
Proactive Countermeasures Prevent the initial compromise in order to minimize the potential for the application to be used as a distribution point for malicious content Web application hardening Prevent unexpected HTML injection Identify areas where user-generated content is permitted Pre-inspect content Quarantine content Continuous site monitoring 20
Development Quick Reference Don’t store raw passwords. Store the salted hash Don’t use string concatenation when building SQL queries. Use parameterized queries HTML encode user-supplied content that is written to a web page Normalize input Work with an expected character set & encoding. Decode multi-level URL encoding 21
Summary The web browser continues to bear more and more functionality that used to be relegated to desktop applications -- but the browser security model hasn’t kept pace. Attackers placing more focus on compromising trusted sites rather than lure victims to fake sites. Social networking, Web 2.0, and similar concepts place more and more personal data only a browser request away. Most reported compromises seem due to lack of input validation (XSS and SQL injection). 22
Thank you! 23
Questions was-info@qualys.com 24

Recomendados

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 

Recomendados

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Xss frame work
Xss frame workXss frame work
Xss frame workNgọc Liệu Nguyễn
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsIsabelle Mauny
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Improve Executive Speeches with 10 Fast Tips
Improve Executive Speeches with 10 Fast TipsImprove Executive Speeches with 10 Fast Tips
Improve Executive Speeches with 10 Fast TipsMarian Madonia, CSP
 
Get Social Media Guide 2009
Get Social Media Guide 2009Get Social Media Guide 2009
Get Social Media Guide 2009Karla Camacho
 

Más contenido relacionado

La actualidad más candente

Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsIsabelle Mauny
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 

La actualidad más candente (20)

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 

Destacado

Improve Executive Speeches with 10 Fast Tips
Improve Executive Speeches with 10 Fast TipsImprove Executive Speeches with 10 Fast Tips
Improve Executive Speeches with 10 Fast TipsMarian Madonia, CSP
 
Get Social Media Guide 2009
Get Social Media Guide 2009Get Social Media Guide 2009
Get Social Media Guide 2009Karla Camacho
 
Sizzle Capabilities
Sizzle CapabilitiesSizzle Capabilities
Sizzle Capabilitiesagroben
 
Playing in the Sandbox by Wictor Wilén
Playing in the Sandbox by Wictor WilénPlaying in the Sandbox by Wictor Wilén
Playing in the Sandbox by Wictor WilénWictor Wilén
 
Reach your peak stuff
Reach your peak stuffReach your peak stuff
Reach your peak stuffGreg Cox
 
Ei09 Opposite Green
Ei09 Opposite GreenEi09 Opposite Green
Ei09 Opposite Greennmoroney
 
Elvis Presley
Elvis PresleyElvis Presley
Elvis Presleyhelenavf1
 
Land and Home
Land and HomeLand and Home
Land and Homeoiwan
 
Nanga 2009
Nanga 2009Nanga 2009
Nanga 2009khan333
 
Outside a Computer
Outside a ComputerOutside a Computer
Outside a ComputerSMumford
 
AJ Faxel's Work Photos
AJ Faxel's Work PhotosAJ Faxel's Work Photos
AJ Faxel's Work PhotosAJ Faxel
 
High Performance Websites By Souders Steve
High Performance Websites By Souders SteveHigh Performance Websites By Souders Steve
High Performance Websites By Souders Stevew3guru
 
Visalus Home Presentation
Visalus Home PresentationVisalus Home Presentation
Visalus Home Presentationrachellemorris
 
Odyssey Jan 2009
Odyssey Jan 2009Odyssey Jan 2009
Odyssey Jan 2009jhibbs
 
Financial Planning Basics
Financial Planning BasicsFinancial Planning Basics
Financial Planning Basicsr30791
 

Destacado (20)

Improve Executive Speeches with 10 Fast Tips
Improve Executive Speeches with 10 Fast TipsImprove Executive Speeches with 10 Fast Tips
Improve Executive Speeches with 10 Fast Tips
 
Get Social Media Guide 2009
Get Social Media Guide 2009Get Social Media Guide 2009
Get Social Media Guide 2009
 
Sizzle Capabilities
Sizzle CapabilitiesSizzle Capabilities
Sizzle Capabilities
 
Playing in the Sandbox by Wictor Wilén
Playing in the Sandbox by Wictor WilénPlaying in the Sandbox by Wictor Wilén
Playing in the Sandbox by Wictor Wilén
 
Reach your peak stuff
Reach your peak stuffReach your peak stuff
Reach your peak stuff
 
Ei09 Opposite Green
Ei09 Opposite GreenEi09 Opposite Green
Ei09 Opposite Green
 
IKH331-07-java-rmi
IKH331-07-java-rmiIKH331-07-java-rmi
IKH331-07-java-rmi
 
Elvis Presley
Elvis PresleyElvis Presley
Elvis Presley
 
Land and Home
Land and HomeLand and Home
Land and Home
 
Nanga 2009
Nanga 2009Nanga 2009
Nanga 2009
 
Fire Department Of New York City
Fire Department Of New York CityFire Department Of New York City
Fire Department Of New York City
 
Outside a Computer
Outside a ComputerOutside a Computer
Outside a Computer
 
AJ Faxel's Work Photos
AJ Faxel's Work PhotosAJ Faxel's Work Photos
AJ Faxel's Work Photos
 
High Performance Websites By Souders Steve
High Performance Websites By Souders SteveHigh Performance Websites By Souders Steve
High Performance Websites By Souders Steve
 
Visalus Home Presentation
Visalus Home PresentationVisalus Home Presentation
Visalus Home Presentation
 
Odyssey Jan 2009
Odyssey Jan 2009Odyssey Jan 2009
Odyssey Jan 2009
 
Financial Planning Basics
Financial Planning BasicsFinancial Planning Basics
Financial Planning Basics
 
Sph 106 Ch 3
Sph 106 Ch 3Sph 106 Ch 3
Sph 106 Ch 3
 
Presentation 12.19
Presentation 12.19Presentation 12.19
Presentation 12.19
 
Linkedin
LinkedinLinkedin
Linkedin
 

Similar a Web Application Scanning 101

Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Carrell Jackson, the Web developer for Alexander Rocco Corporation, .pdf
Carrell Jackson, the Web developer for Alexander Rocco Corporation, .pdfCarrell Jackson, the Web developer for Alexander Rocco Corporation, .pdf
Carrell Jackson, the Web developer for Alexander Rocco Corporation, .pdfshahidqamar17
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackAmazon Web Services
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)Wail Hassan
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 

Similar a Web Application Scanning 101 (20)

Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Web Security
Web SecurityWeb Security
Web Security
 
Hacking3e ppt ch09
Hacking3e ppt ch09Hacking3e ppt ch09
Hacking3e ppt ch09
 
Carrell Jackson, the Web developer for Alexander Rocco Corporation, .pdf
Carrell Jackson, the Web developer for Alexander Rocco Corporation, .pdfCarrell Jackson, the Web developer for Alexander Rocco Corporation, .pdf
Carrell Jackson, the Web developer for Alexander Rocco Corporation, .pdf
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
4.Xss
4.Xss4.Xss
4.Xss
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Cgi Trap
Cgi TrapCgi Trap
Cgi Trap
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 

Más de Sasha Nunke

Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecuritySasha Nunke
 
Cost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementCost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementSasha Nunke
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesSasha Nunke
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
 
ABC's of Securing Educational Networks
ABC's of Securing Educational NetworksABC's of Securing Educational Networks
ABC's of Securing Educational NetworksSasha Nunke
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceSasha Nunke
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowSasha Nunke
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 

Más de Sasha Nunke (9)

Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App Security
 
Cost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability managementCost-effective approach to full-cycle vulnerability management
Cost-effective approach to full-cycle vulnerability management
 
Web Application Security For Small and Medium Businesses
Web Application Security For Small and Medium BusinessesWeb Application Security For Small and Medium Businesses
Web Application Security For Small and Medium Businesses
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
ABC's of Securing Educational Networks
ABC's of Securing Educational NetworksABC's of Securing Educational Networks
ABC's of Securing Educational Networks
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 

Último

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Web Application Scanning 101

  • 1. Web Security 101 An overview of some common application exploits Mike Shema Security Research Engineer, Qualys Inc.
  • 2. Web Security Web application (in)security continues to grow Web-related vulnerabilities pop up on Bugtraq daily. (http://www.securityfocus.com/bid/) Web-related attacks are large and expensive to investigate, react, and resolve. Web security became a requirement of PCI in 2008. XSS remains a significant problem Original CERT advisory February 2000 (http://www.cert.org/advisories/CA-2000-02.html) USENET references to “malicious html” and “malicious javascript” as far back as 1996 comp.security.unix post on March 1996: http://tinyurl.com/2s593m Entertaining discussion of JavaScript: http://tinyurl.com/2g2476 2
  • 3. Web Security Reported web server vulnerabilities have decreased IIS 6.0 released April 2003 MS06-034 (specially-crafted ASP file could cause buffer overflow) No resurgence of Code Red or Nimda style vulnerabilities Apache 2.0.45 (March 2003) to Apache 2.0.63 (January 2008) 40 security bugs according to changelog 24 specific to core or mod_ssl Apache 2.2.0 (November 2005) to Apache 2.2.8 (January 2008) 13 security bugs according to changelog Active Sites According to Netcraft 2 specific to core or mod_ssl 35,000,000 30,000,000 And the number of servers continues 25,000,000 20,000,000 to grow significantly Apache 15,000,000 IIS 10,000,000 5,000,000 0 May-03 Apr-08 3
  • 4. Leave the Buffer Overflows at Home Exploiting most web vulnerabilities has a very low barrier to entry. Low sophistication attacks can still lead to high impact exploits More codified lists defined in the OWASP TOP 10 and the WASC Threat Classification 4
  • 5. Threats Evolve Financial motivation Infect rather than deface Increased potential for targeted attacks Exploit the trust between the server and browser 5
  • 6. Attacks Adapt Bring the exploit to victim rather than bring the victim to the exploit. “Web 2.0”: More business logic and capabilities moved to the web browser. Social networking as an enabler for non-technical attacks. Insert malicious content into a web page Target the web browser 6
  • 7. Persistent Browser Problems Assumption of trust in HTML and JavaScript (no “signed” content) No separation of UI generation and data manipulation Few restrictions on pulling together inter- domain content, no “trusted peers” for a domain. 7
  • 8. What do these attacks look like? Review some examples to see where vulnerabilities exist and how they are exploited. 8
  • 9. The Usual Suspects SQL Injection One of the easiest vulnerabilities to prevent. Occurs when users can alter the actual query. For example, SQL queries made with strong concatenation or even raw SQL queries in a URL parameter. 9
  • 10. Recent Examples Hacking & Happiness One password to rule them all Poor separation of duties Lack of rate limiting http://tinyurl.com/9f7ata 10
  • 11. Recent Examples Session Fixation & Stock Inflation Buy stocks using someone else’s account. 11
  • 12. Recent Examples Victim receives an e-mail with a legitimate link to the trading site: https://site/login.cgi?sid=65531 Session ID = 655321 x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Unauthenticated Redirect to /login.cgi <-- server a.b.101.92 --> /login.cgi?sid=655321 Authenticated Redirect to /welcome.cgi?sid=655321 <-- server x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO Authenticated Trade executed <-- server 12
  • 13. Recent Examples Inspection & Infiltration Abusing server-side scripts http://tinyurl.com/d6ymuc 13
  • 14. Recent Examples ../lists/admin/index.php?_SERVER[ConfigFile]=../../php.ini Viewing arbitrary files on the web server for sensitive content A confluence of programming error, misconfiguration, and lack of host hardening 14
  • 15. Wildly Different Vulnerabilities Programming errors Session fixation Cross-site request forgery Lack of input validation Insecure environment 15
  • 16. Where Are The Worms? Attacks like Nimda, Code Red or SQL Slammer haven’t been repeated in a while Exploit preferences seem to fall to the lowest common denominator 16
  • 17. Manual & Automated Testing Complementary approaches What matters most for your environment? Cost Scalability Repeatability Comprehensiveness Accuracy What to expect from each approach? 17
  • 18. Automated Testing Ideal for large-scale or repetitive scans Primarily focuses on syntax problems, misconfigurations, and known issues Several challenges to determining a good scanner Crawling & site coverage Authentication & session management Comprehensiveness & accuracy 18
  • 19. Manual Testing Ideal for in-depth security review Biggest advantage over automated testing is the ability to understand the application’s business logic Typically relies on some form of automated testing 19
  • 20. Proactive Countermeasures Prevent the initial compromise in order to minimize the potential for the application to be used as a distribution point for malicious content Web application hardening Prevent unexpected HTML injection Identify areas where user-generated content is permitted Pre-inspect content Quarantine content Continuous site monitoring 20
  • 21. Development Quick Reference Don’t store raw passwords. Store the salted hash Don’t use string concatenation when building SQL queries. Use parameterized queries HTML encode user-supplied content that is written to a web page Normalize input Work with an expected character set & encoding. Decode multi-level URL encoding 21
  • 22. Summary The web browser continues to bear more and more functionality that used to be relegated to desktop applications -- but the browser security model hasn’t kept pace. Attackers placing more focus on compromising trusted sites rather than lure victims to fake sites. Social networking, Web 2.0, and similar concepts place more and more personal data only a browser request away. Most reported compromises seem due to lack of input validation (XSS and SQL injection). 22
  • 24. Questions was-info@qualys.com 24