Some Notes on Web Application Firewalls

Size: px
Start display at page:

Download "Some Notes on Web Application Firewalls"

Transcription

1 Some Notes on Web Application Firewalls or Why You still Get Owned

2 #whoami Member of Application Security Team, ERNW GmbH Contact: ERNW GmbH Frank Block Breslauer Str Heidelberg ERNW GmbH Breslauer Straße 28 D Heidelberg #2

3 ERNW GmbH Breslauer Straße 28 D Heidelberg #3 #whoami Head of Application Security & Chief Security Officer, ERNW GmbH Contact: ERNW GmbH Michael Thumann Breslauer Str Heidelberg

4 ERNW GmbH Breslauer Straße 28 D Heidelberg #4 Attack Vectors Web Application

5 ERNW GmbH Breslauer Straße 28 D Heidelberg #5 Web Application Attacks

6 ERNW GmbH Breslauer Straße 28 D Heidelberg #6 SQL Injection Example

7 ERNW GmbH Breslauer Straße 28 D Heidelberg #7 What s a WAF Web Application Firewalls

8 ERNW GmbH Breslauer Straße 28 D Heidelberg #8 Web Application Firewalls Basically a filter that controls the traffic between a client and the application Its main purpose is to detect and defend against application layer attacks which could lead to - Data loss - Denial of Service - Web Site Defacement

9 ERNW GmbH Breslauer Straße 28 D Heidelberg #9 Possible reasons for the usage of WAFs Insecure Application with maybe already known vulnerabilities Additional Protection No confidence in own/foreign Software developers

10 ERNW GmbH Breslauer Straße 28 D Heidelberg #10 Web Application Firewalls Detection mechanisms - Negative Detection Model - Positive Detection Model - Additional Mechanisms Possible deployments - Reverse Proxy - Layer 2 Bridge - Network monitor - Server based - Embedded

11 ERNW GmbH Breslauer Straße 28 D Heidelberg #11 Detection Mechanisms Negative Detection Model - Blacklisting approach - Database with known "bad" Strings Positive Detection Model - Whitelisting approach - WAF learns/gets teached "good" Input and rejects all other Input Additional Mechanisms - Time based detection - Anomaly based detection

12 ERNW GmbH Breslauer Straße 28 D Heidelberg #12 WAF deployments Network Monitor Layer 2 Bridge Reverse Proxy

13 ERNW GmbH Breslauer Straße 28 D Heidelberg #13 WAF deployments Server based Embedded Web app

14 ERNW GmbH Breslauer Straße 28 D Heidelberg #14 but... Effort - for the WAF testing/ configuration (and retesting/ configuration on new releases) - concerning the environment adjustment - regarding maintenance/ troubleshooting

15 ERNW GmbH Breslauer Straße 28 D Heidelberg #15 Vulnerabilities that could be mitigated by a WAF

16 ERNW GmbH Breslauer Straße 28 D Heidelberg #16 Fingerprinting Web Application Firewalls

17 WAFs covered in research ModSecurity PHPIDS WebKnight URLScan Web Application Firewall ERNW GmbH Breslauer Straße 28 D Heidelberg #17

18 ERNW GmbH Breslauer Straße 28 D Heidelberg #18 Fingerprinting Phase one: 10 Teststrings Phase two: "Specialties"

19 ERNW GmbH Breslauer Straße 28 D Heidelberg #19 ModSecurity GET /print.php?message=a HTTP/1.1\r\n Host: modsec.waf\r\n User-Agent: libwww\r\n \r\n GET /print.php?message=a HTTP/1.1\r\n Host: modsec.waf\r\n User-Agent: libwww\r\n Accept: a\r\n \r\n

20 ERNW GmbH Breslauer Straße 28 D Heidelberg #20 PHPIDS No global Filtering $BAD_STRING

21 ERNW GmbH Breslauer Straße 28 D Heidelberg #21 WebKnight Status Code: 999 Status Message: No Hacking Server: WWW Server/1.1 WebKnight specific Errorpage %3E

22 ERNW GmbH Breslauer Straße 28 D Heidelberg #22 URLScan GET / HTTP/1.1\r\n Host: webknight.waf:80\r\n User-Agent: Mozilla/5.5 (compatible; MSIE 5.5; Windows NT 5.1) \r\n Accept: */*\r\n If: aaaa\r\n Translate: aaaa\r\n Lock-Token: aaaa\r\n Accept: */*\r\n If: \r\n Translate: \r\n Lock-Token: \r\n

23 ERNW GmbH Breslauer Straße 28 D Heidelberg #23 Web Application Firewall 460 Custom Errorpage The specified URL cannot be found The requested service is temporarily unavailable. It is either overloaded or under maintenance. Please try later. Additional HTML comment:

24 ERNW GmbH Breslauer Straße 28 D Heidelberg #24 Circumvention Web Application Firewalls

25 ERNW GmbH Breslauer Straße 28 D Heidelberg #25 WAF secured J

26 ERNW GmbH Breslauer Straße 28 D Heidelberg #26 SQLi based Circumvention 'or 'a='='a= 'or 'a'='a'-- 'or 1 -- ' --

27 ERNW GmbH Breslauer Straße 28 D Heidelberg #27 But these statements can't be used to extract data, hm? Remember? SELECT count(*) FROM Users WHERE Username = '$NAME' AND Password = '$PASSWORD' Christmas already? UPDATE orders SET dstaddress = '$ADDRESS' WHERE orderid = ' ' Heartland,Hannaford? MasterCard? SELECT owner,cc_num,cc_type FROM customers WHERE owner = '$NAME'

28 ERNW GmbH Breslauer Straße 28 D Heidelberg #28 A note on vendor reactions Regarding a very simple and common SQLi attack string: or a = a J "We are also aware of that issue, but I don't see how we can effectively block this without causing a lot of false positives..."

29 ERNW GmbH Breslauer Straße 28 D Heidelberg #29 XSS filter Circumvention 1. Initial circumvention <input oninput=alert(1)>asd 2. After applying "Tag Filter" <input%0aaaaaaa oninput=location.href='http:// 3. After applying "URL Filter" <input%0aaaaaaa oninput=location.href='htt'+'p://

30 ERNW GmbH Breslauer Straße 28 D Heidelberg #30 General Circumvention 3 of 4 WAFs seemed to be vulnerable to the usage of some event handlers especially in combination with tags/event handlers introduced in HTML5

31 ERNW GmbH Breslauer Straße 28 D Heidelberg #31 Short current example Web Application Firewalls

32 ERNW GmbH Breslauer Straße 28 D Heidelberg #32 Reasons for a WAF deployment Delay between discovery and fix of a vulnerability Access to application source code is: - limited - impossible

33 ERNW GmbH Breslauer Straße 28 D Heidelberg #33 tsakwaf The Swiss Army Knife for Web Application Firewalls Web Application Firewalls

34 tsakwaf Developed to support the daily work of a web application pentester and to help testing the detection capabilities of a WAF Current version: The Troopers Version J Licensed under the 3-clause BSD license tsakwaf tar.gz ERNW GmbH Breslauer Straße 28 D Heidelberg #34

35 ERNW GmbH Breslauer Straße 28 D Heidelberg #35 Supported functions Encoding XSS Code Generator HPP/HPF Code Generator WAF Fingerprinting

36 ERNW GmbH Breslauer Straße 28 D Heidelberg #36 time for a demo? tsakwaf

37 ERNW GmbH Breslauer Straße 28 D Heidelberg #37 Fingerprinting

38 ERNW GmbH Breslauer Straße 28 D Heidelberg #38 Fingerprinting

39 ERNW GmbH Breslauer Straße 28 D Heidelberg #39 Fingerprinting

40 ERNW GmbH Breslauer Straße 28 D Heidelberg #40 Fingerprinting

41 ERNW GmbH Breslauer Straße 28 D Heidelberg #41 Fingerprinting

42 ERNW GmbH Breslauer Straße 28 D Heidelberg #42 XSS Code Generator

43 ERNW GmbH Breslauer Straße 28 D Heidelberg #43 XSS Code Generator

44 ERNW GmbH Breslauer Straße 28 D Heidelberg #44 Conclusions Identification of a specific WAF is possible Blacklisting - no effective protection WAF vendors are only slowly adding new technologies Focus should lie on secure Programming (SDL)

45 ERNW GmbH Breslauer Straße 28 D Heidelberg #45 Questions?

ERNW Newsletter 35 / July 2011

ERNW Newsletter 35 / July 2011 ERNW Newsletter 35 / July 2011 Dear Partners and Colleagues, Welcome to the ERNW-Newsletters No. 35 covering the topic: Web Application Firewall (WAF) Security and The Swiss Army Knife for Web Application

More information

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall

More information

Web Application Firewalls: What the vendors do NOT want you to know SHAKACON III

Web Application Firewalls: What the vendors do NOT want you to know SHAKACON III Web Application Firewalls: What the vendors do NOT want you to know $ whois WendelGH PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP,

More information

Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte

Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte Web Application Firewall Profiling and Evasion Michael Ritter Cyber Risk Services Deloitte Content 1. Introduction 2. WAF Basics 3. Identifying a WAF 4. WAF detection tools 5. WAF bypassing methods 6.

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP, Citrix, etc. Spoke in YSTS 2.

PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP, Citrix, etc. Spoke in YSTS 2. The Truth about Web Application Firewalls: What the vendors do NOT want you to know. $ whois WendelGH PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery

More information

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013 We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS SEPTEMBER 2015 MAZIN AHMED MAZIN@MAZINAHMED.NET @MAZEN160 Table of Contents Topic Page Number Abstract 3 Introduction 3 Testing Environment 4 Products

More information

Web Application Firewall Bypassing

Web Application Firewall Bypassing Web Application Firewall Bypassing how to defeat the blue team KHALIL BIJJOU CYBER RISK SERVICES DELOITTE 29 th Octobre 2015 STRUCTURE Motivation & Objective Introduction to Web Application Firewalls Bypassing

More information

Playing with Web Application Firewalls

Playing with Web Application Firewalls Playing with Web Application Firewalls Who is Wendel? Independent penetration test analyst. Affiliated to Hackaholic team. Over 7 years in the security industry. Discovered vulnerabilities in Webmails,

More information

Data Breaches and Web Servers: The Giant Sucking Sound

Data Breaches and Web Servers: The Giant Sucking Sound Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant

More information

Firewalls P+S Linux Router & Firewall 2013

Firewalls P+S Linux Router & Firewall 2013 Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network

More information

Playing with Web Application Firewalls

Playing with Web Application Firewalls Playing with Web Application Firewalls DEFCON 16, August 8-10, 2008, Las Vegas, NV, USA Who is Wendel Guglielmetti Henrique? Penetration Test analyst at SecurityLabs - Intruders Tiger Team Security division

More information

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like

More information

NSFOCUS Web Application Firewall White Paper

NSFOCUS Web Application Firewall White Paper White Paper NSFOCUS Web Application Firewall White Paper By NSFOCUS White Paper - 2014 NSFOCUS NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect

More information

Implementation of Web Application Firewall

Implementation of Web Application Firewall Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Web Application Security

Web Application Security Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security

More information

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc Web Application Firewalls Evaluation and Analysis Andreas Karakannas Andreas.Karakanas@os3.nl George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam System & Network Engineering MSc

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST. CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape

More information

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City JOOMLA SECURITY by Oliver Hummel ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City CONTACT Nicholas Butler 051-393524 089-4278112 info@irelandwebsitedesign.com Contents Introduction 3 Installation

More information

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever Dana Tamir, Product Marketing Manager, Imperva Consider this: In the first half of 2008, SQL injection was the number one attack vector

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Web Application Firewalls: What the vendors do NOT want you to know. The OWASP Foundation http://www.owasp.org

Web Application Firewalls: What the vendors do NOT want you to know. The OWASP Foundation http://www.owasp.org Web Application Firewalls: What the vendors do NOT want you to know Sandro Gauci EnableSecurity sandro@enablesecurity.com nd Wendel G. Henrique Trustwave whenrique@trustwave.com Copyright The OWASP Foundation

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

Java Web Application Security

Java Web Application Security Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting

More information

Still Aren't Doing. Frank Kim

Still Aren't Doing. Frank Kim Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

ASL IT Security Advanced Web Exploitation Kung Fu V2.0 ASL IT Security Advanced Web Exploitation Kung Fu V2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: There is a lot more in modern day web exploitation than the good old alert( xss ) and union

More information

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06

More information

Web Application Firewall (WAF) Guide. Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall

Web Application Firewall (WAF) Guide. Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall Web Application Firewall (WAF) Guide 2 nd Edition Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall IT SECURITY CENTER, INFORMATION-TECHNOLOGY PROMOTION AGENCY,

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL AWF Series Web application firewalls provide industry-leading Web application attack protection, ensuring continuity

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

HTTP Response Splitting

HTTP Response Splitting The Attack HTTP Response Splitting is a protocol manipulation attack, similar to Parameter Tampering The attack is valid only for applications that use HTTP to exchange data Works just as well with HTTPS

More information

From Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org

From Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Protecting Against SQLi in Real-Time

Protecting Against SQLi in Real-Time The OWASP Foundation http://www.owasp.org Protecting Against SQLi in Real-Time Stuart Hancock stuart.hancock@dbnetworks.com bob.dewolfe@dbnetworks.com AGENDA SQL injection attacks primary database security

More information

Penta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au

Penta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au Penta Security 3rd Generation Web Application Firewall No Signature Required www.gasystems.com.au 1 1 The Web Presence Demand The Web Still Grows INTERNET USERS 2006 1.2B Internet Users - 18% of 6.5B people

More information

The Web AppSec How-to: The Defenders Toolbox

The Web AppSec How-to: The Defenders Toolbox The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Security Assessment of Waratek AppSecurity for Java. Executive Summary

Security Assessment of Waratek AppSecurity for Java. Executive Summary Security Assessment of Waratek AppSecurity for Java Executive Summary ExecutiveSummary Security Assessment of Waratek AppSecurity for Java! Introduction! Between September and November 2014 BCC Risk Advisory

More information

FORBIDDEN - Ethical Hacking Workshop Duration

FORBIDDEN - Ethical Hacking Workshop Duration Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once

More information

WAFFle: Fingerprinting Filter Rules of Web Application Firewalls

WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Email: sebastian.schinzel@cs.fau.de Twitter: @seecurity WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Isabell Schmitt, Sebastian Schinzel* Friedrich-Alexander Universität Erlangen-Nürnberg

More information

External Network & Web Application Assessment. For The XXX Group LLC October 2012

External Network & Web Application Assessment. For The XXX Group LLC October 2012 External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution

More information

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution

More information

THE OPEN UNIVERSITY OF TANZANIA

THE OPEN UNIVERSITY OF TANZANIA THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather

More information

Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance

Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance Selecting the Right Technology is Essential in Guarding Against Malicious Attacks White_Paper As today s organizations

More information

Web Application Security

Web Application Security Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015 Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Attacks and Countermeasures: Case Studies from Financial Systems Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. 1 2 Why do we care about web application security? With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. We constantly

More information

Introduction: 1. Daily 360 Website Scanning for Malware

Introduction: 1. Daily 360 Website Scanning for Malware Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Integrating Web Application Security into the IT Curriculum

Integrating Web Application Security into the IT Curriculum Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?

More information

So happy to be here! Paparazzi over IP. Daniel Mende & Pascal Turbing {dmende pturbing}@ernw.de. www.ernw.de

So happy to be here! Paparazzi over IP. Daniel Mende & Pascal Turbing {dmende pturbing}@ernw.de. www.ernw.de So happy to be here! Paparazzi over IP Daniel Mende & Pascal Turbing {dmende pturbing}@ernw.de 2/18/2013 ERNW GmbH Carl-Bosch-Str. 4 DE-69115 Heidelberg #2 Who we are Old-school network geeks, working

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Web Security Threat Report: January April 2007. Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Web Security Threat Report: January April 2007. Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots Web Security Threat Report: January April 2007 Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots What are we reporting? We are presenting real, live web attack data captured in-the-wild.

More information

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques

More information

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE How application threat intelligence can make existing enterprise security infrastructures smarter THE BLIND SPOT IN THREAT INTELLIGENCE

More information

Logs and Tactical Defence. Allan Stojanovic David Auclair University of Toronto #include

Logs and Tactical Defence. Allan Stojanovic David Auclair University of Toronto #include <disclaimer.h> R A O M Logs and Tactical Defence Allan Stojanovic David Auclair University of Toronto #include Our Environment Six /16 IPv4 networks one /32 IPv6 network (393,204 Ipv4s and 4,294,967,296

More information

Firewall Testing Methodology W H I T E P A P E R

Firewall Testing Methodology W H I T E P A P E R Firewall ing W H I T E P A P E R Introduction With the deployment of application-aware firewalls, UTMs, and DPI engines, the network is becoming more intelligent at the application level With this awareness

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

XSS Lightsabre techniques. using Hackvertor

XSS Lightsabre techniques. using Hackvertor XSS Lightsabre techniques using Hackvertor What is Hackvertor? Tag based conversion tool Javascript property checker Javascript/HTML execution DOM browser Saves you writing code Free and no ads! Whoo hoo!

More information

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez NETWORK SECURITY Scott Hand Melanie Rich-Wittrig Enrique Jimenez Chapter 2 In Which Firewalls Are Erected, Packets Are Snorted, And Pwnage Denied TOPICS COVERED Host Software Firewalls iptables Network

More information

CONTENTS. PCI DSS Compliance Guide

CONTENTS. PCI DSS Compliance Guide CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not

More information

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula? Datasheet: Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-ofbreed

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

Cross Site Scripting in Joomla Acajoom Component

Cross Site Scripting in Joomla Acajoom Component Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011 TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended

More information

End-to-End Application Security from the Cloud

End-to-End Application Security from the Cloud Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed

More information

The Wide World of WAFs

The Wide World of WAFs The Wide World of WAFs Ben Feinstein, CISSP GCFA SecureWorks Counter Threat Unit DEFCON 16 August 8, 2008 What s In This Talk? Web Application Firewalls (WAFs) PCI Data Security Standard Requirement 6.6

More information

Security Testing: Step by Step System Audit with Rational Tools. First Presented for:

Security Testing: Step by Step System Audit with Rational Tools. First Presented for: Security Testing: Step by Step System Audit with Rational Tools First Presented for: The Rational User's Conference Orlando, FL 2002 with: Chris Walters Scott Barber Chief Technology Officer PerfTestPlus,

More information

10 Things Every Web Application Firewall Should Provide Share this ebook

10 Things Every Web Application Firewall Should Provide Share this ebook The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security

More information

CS 558 Internet Systems and Technologies

CS 558 Internet Systems and Technologies CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.

More information

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats

More information

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer

More information

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI Na przykładzie Junos WebApp Secure Edmund Asare INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations

More information

2013 MONITORAPP Co., Ltd.

2013 MONITORAPP Co., Ltd. 01 Cloud Computing Overview Intelligent Web Application Firewall For Cloud Infrastructure Introduction 2013 MONITORAPP Co., Ltd. 01 Cloud Computing Overview Cloud-based Web Firewall Overview The new form

More information

Pentests more than just using the proper tools

Pentests more than just using the proper tools Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security

More information

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Nethemba All About Security Highly experienced certified IT security experts (CISSP, C EH, SCSecA) Core

More information

Hacker Intelligence Initiative, Monthly Trend Report #15

Hacker Intelligence Initiative, Monthly Trend Report #15 January 2013 Hacker Intelligence Initiative, Monthly Trend Report #15 Lessons Learned From the Yahoo! Hack How SQL Injection Vulnerabilities in Third-Party Code Can Make for Security Cloudy 1. Executive

More information

IndusGuard Web Application Firewall Test Drive User Registration

IndusGuard Web Application Firewall Test Drive User Registration IndusGuard Web Application Firewall Test Drive User Registration Document Version 1.0 24/06/2015 Confidentiality INDUSFACE HAS PREPARED THIS DOCUMENT FOR INTERNAL PURPOSE. NEITHER THIS DOCUMENT NOR ITS

More information

David Rook. The Principles of Secure Development. OWASP Ireland Conference, Dublin

David Rook. The Principles of Secure Development. OWASP Ireland Conference, Dublin David Rook The Principles of Secure Development OWASP Ireland Conference, Dublin if (slide == introduction) System.out.println("I m David Rook"); Security Analyst, Realex Payments, Ireland CISSP, CISA,

More information

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by Concept and Realization of a Security Component in Moodle a project by Andreas Gigli, Lars-Olof Krause, Björn Ludwig, Kai Neumann, Lars Schmidt and Melanie Schwenk 2 Agenda Plugin Installation in Moodle

More information

State of Web Application Security

State of Web Application Security State of Web Application Security Executive Summary Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2011 Ponemon Institute Research

More information