CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities"

Transcription

1 CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring

2 Web Applications What has changed with web applications? Traditional applications fetched new content by fetching full pages with new content AJAX applications fetch new content in the background, only receiving content that has changed First use of AJAX technologies (XMLHttpRequest) First supported by Internet Explorer 5.0 Outlook Web Access (circa 2000) Now a standard part of any major browser 2

3 OWASP Background Open Web Application Security Project Develop tools and documentation for web application security ESAPI and WebScarab are two popular tools Development, Testing, and Review documents that guide developers in building, testing, and maintaining secure web application code One project is the Top 10 list that lists the top ten most popular web application security vulnerabilities 3

4 A1- Cross Site Scripting (XSS) Vulnerability: Attacker causes code to execute in the browser Reflected - Input is reflected in the output without filtering Stored - Input is stored in files, databases, etc. and used to create pages DOM-based - Manipulates JavaScript code/variables instead of HTML elements Use strong input validation routines Encode untrusted inputs that must be reflected in the output Don t rely on blacklisting tags 4

5 A1- Cross Site Scripting (XSS) Vulnerability: Attacker causes code to execute in the browser Reflected - Input is reflected in the output without filtering Example: echo $_POST[ username ]; Stored - Input is stored in files, databases, etc. and used to create pages where DOM-based - Manipulates JavaScript code/variables instead of HTML elements $_POST[ username ] = <script type= application/ javascript >alert( XSS );</script> Use strong input validation routines Encode untrusted inputs that must be reflected in the output Don t rely on blacklisting tags 4

6 MySpace Worm MySpace social networking site Infected your profile Added samy as one of your friends Added, but most of all samy is my hero. to your profile MySpace filters input... This was carefully crafted to evade the filters 5

7 A2 - Injection Flaws Vulnerability: Unfiltered user input is used by backend interpreters (SQL, LDAP, OS, etc.) Input validation/encoding Use safe APIs Vague error messages 6

8 A2 - Injection Flaws Vulnerability: Unfiltered user input is used by backend interpreters (SQL, LDAP, OS, etc.) Input validation/encoding Use safe APIs Vague error messages * 6

9 A3 - Malicious File Execution Vulnerability: Using user input to select files for execution Use indirect object references Strong validation of input Isolate applications Use taint tracking if language supports it 7

10 A3 - Malicious File Execution Vulnerability: Using user input to select files for execution Example: require($_post[ style ]..php ); Use indirect object references Strong validation of input where $_POST[ style ] = Isolate applications Use taint tracking if language supports it 7

11 A4 - Insecure Direct Object Reference Vulnerability: Exposing backend structure to clients, e.g. using bank account number as primary key Use strong access control checking Use an accept known good approach when checking client data Avoid using direct object references when possible 8

12 A4 - Insecure Direct Object Reference Vulnerability: Exposing backend structure to clients, e.g. using bank account number as primary key Use strong access control checking Example: int cartid = Integer.parseInt( request.getparameter( cartid ) ); String query = SELECT * FROM table WHERE cartid= + cartid; Use an accept known good approach when checking client data Avoid using direct object references when possible 8

13 A5 - Cross Site Request Forgery (CSRF) Vulnerability: Cause actions to occur on a site based solely on the fact that login credentials are submitted with all requests. Protect against XSS Use nonces in all requests Re-authenticate for sensitive transactions Don t use HTTP GET to process sensitive transactions 9

14 A5 - Cross Site Request Forgery (CSRF) Vulnerability: Cause actions to occur on a site based solely on the fact that login credentials are submitted with all requests. Example: Attacker puts <img src= /> in forum post on Protect against XSS Use nonces in all requests another site. Re-authenticate for sensitive transactions Don t use HTTP GET to process sensitive transactions 9

15 Gmail and CSRF Gmail relies heavily on JavaScript Even with protections, Google has been vulnerable to CSRF on multiple occasions Contact stealing &psort=affinity&callback=google&max=99999 Gmail password changing Change password request can be done using HTTP GET 10

16 Facebook Worm Users write on each other s wall Any user can view your wall, i.e. not private messages If the user clicks a specially crafted message on the wall, they are sent to another site This site has a carefully crafted URL that causes this same message to be posted on the logged in user s wall This carefully crafted URL is the basis of the CSRF attack 11

17 A6 - Information Leakage and Improper Error Handling Vulnerability: Application reveals details about internal configuration via error messages. Disable error reporting on production system Consistent exception handling If error reporting is required, ensure that it is consistent and has no backend details 12

18 WordPress SQL Information WordPress is a blog application that allows users to create a blog site with ease URL used: / localhost/ wordpress/ index.php?paged=-1 Errors generated by WordPress: WordPress database error: [Erreur de syntaxe pr?s de '-20, 10'? la ligne 1] Invalid Argument SELECT DISTINCT * FROM w p_posts WHERE 1=1 AND post_date_gmt <= ' :46:59' AND (post_status = "publish") AND post_status!= "attachment" GROUP BY wp_posts.id ORDER BY post_date DESC LIMIT -20, 10 End user sees this error in the browser Can now see what table names are and the structure of the SQL query (leading to potential SQL injection attacks) 13

19 A7 - Broken Authentication and Session Management Vulnerability: Broken authentication allows attackers to steal credentials or tokens Don t roll your own session management Don t rely on spoofable information to ID users Don t rely heavily on custom cookies Use SSL to protect authenticated portions of system 14

20 A8 - Insecure Cryptographic Storage Vulnerability: Using no encryption, weak encryption, or home-grown encryption, or using hard-coded keys Use strong, vetted cryptographic algorithms Protect private keys Protect backend storage, such as DB (i.e. no direct client access to backend storage systems) 15

21 A9 - Insecure Communications Vulnerability: Sending sensitive information in the clear Enable SSL between client and server Enable SSL between server and other backend systems Isolate backend systems from public network (if possible) 16

22 Gmail to use SSL Gmail recently announced a switch to SSL by deafult Before, only users surfing to Originally, SSL was only used for login Attacker can steal session identifiers and access Gmail account by providing the right cookies Persisted until the user logged out 17

23 A10 - Failure to Restrict URL Access Vulnerability: Attacker guesses URLs that lead to functionality they are not authorized to access Strong access control mechanism/policy Assume user is able to guess all URLs, i.e. don t rely on security through obscurity Filter requests for files that your system shouldn t serve 18

24 Lessons User input is inherently untrusted Input validation/filtering is hugely important It takes nothing more than a browser to attack a web application Browsers are installed on just about every computer Worry about both the client and the server More code is available to the attacker than in traditional web applications 19

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Web Application Guidelines

Web Application Guidelines Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Testing the OWASP Top 10 Security Issues

Testing the OWASP Top 10 Security Issues Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009 CSRF Review Liberty Alliance CPSC 328 Spring 2009 Quite similar, yet different from XSS Malicious script or link involved Exploits trust XSS - exploit user s trust in the site CSRF - exploit site s trust

More information

Øredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Øredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc. Øredev 2006 Web application testing using a proxy Lucas Nelson, Symantec Inc. Agenda What is a proxy? Setting up your environment Pre-login tests Post-login tests Conclusion A man in the middle proxy The

More information

Data Breaches and Web Servers: The Giant Sucking Sound

Data Breaches and Web Servers: The Giant Sucking Sound Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant

More information

Hacking de aplicaciones Web

Hacking de aplicaciones Web HACKING SCHOOL Hacking de aplicaciones Web Gabriel Maciá Fernández Fundamentos de la web CLIENTE SERVIDOR BROWSER HTTP WEB SERVER DATOS PRIVADOS BASE DE DATOS 1 Interacción con servidores web URLs http://gmacia:pass@www.ugr.es:80/descarga.php?file=prueba.txt

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Web Application Security

Web Application Security Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session

More information

Sichere Software- Entwicklung für Java Entwickler

Sichere Software- Entwicklung für Java Entwickler Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART

More information

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2 Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

More information

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant $whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

Web Security Testing Cookbook*

Web Security Testing Cookbook* Web Security Testing Cookbook* Systematic Techniques to Find Problems Fast Paco Hope and Ben Walther O'REILLY' Beijing Cambridge Farnham Koln Sebastopol Tokyo Table of Contents Foreword Preface xiii xv

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

Web-Application Security

Web-Application Security Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Special Publication 500-269 Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Paul E. Black Elizabeth Fong Vadim Okun Romain Gaucher Software Diagnostics and

More information

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358 Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using

More information

HTTPParameter Pollution. ChrysostomosDaniel

HTTPParameter Pollution. ChrysostomosDaniel HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Hack Proof Your Webapps

Hack Proof Your Webapps Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

Project OWASP and two most frequent vulnerabilities in web applications

Project OWASP and two most frequent vulnerabilities in web applications Project OWASP and two most frequent vulnerabilities in web applications Filip Šebesta, Wilson Tuladhar 2010 Abstract With the rapid use of the Internet, there has been a rapid growth in websites and web

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

Application Security Vulnerabilities, Mitigation, and Consequences

Application Security Vulnerabilities, Mitigation, and Consequences Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Project 2: Web Security Pitfalls

Project 2: Web Security Pitfalls EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Blackbox Reversing of XSS Filters

Blackbox Reversing of XSS Filters Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net Introduction Web applications are the future Reversing web apps blackbox reversing very different environment and tools Cross-site scripting

More information

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 Cross Site Scripting (XSS) and PHP Security Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 What Is Cross Site Scripting? Injecting Scripts Into Otherwise Benign and Trusted Browser Rendered

More information

Securing your Web application

Securing your Web application Securing your Web application TI1506: Web and Database Technology Claudia Hauff! Lecture 8 [Web], 2014/15 1 Course overview [Web] 1. http: the language of Web communication 2. Web (app) design & HTML5

More information

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and

More information

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you

More information

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000) Security What about MongoDB? Even though MongoDB doesn t use SQL, it can be vulnerable to injection attacks db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < req.body.input;

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

SQuAD: Application Security Testing

SQuAD: Application Security Testing SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Getting Developers to Take XSS Seriously

Getting Developers to Take XSS Seriously Cross-Site Scripting Getting Developers to Take XSS Seriously Use Social Engineering to Enhance Your Vulnerability Reporting XSS Contact Information Jason Pubal Website www.intellavis.com/blog E-mail jpubal@gmail.com

More information

Introduction. Attacks Against Websites 2. Reflected XSS. Cross-site scripting (XSS) Solution for injection: sanitization.

Introduction. Attacks Against Websites 2. Reflected XSS. Cross-site scripting (XSS) Solution for injection: sanitization. Introduction Attacks Against Websites 2 Tom Chothia Computer Security, Lecture 12 More on Web Attacks: Cross site scripting attacks (XSS) Cross-site request forgery (CSRF) OWASP top 10 web attacks. Cross-site

More information

Overview of the Penetration Test Implementation and Service. Peter Kanters

Overview of the Penetration Test Implementation and Service. Peter Kanters Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection

More information

Web and Email Security 1 / 40

Web and Email Security 1 / 40 Web and 1 / 40 Untrusted Clients Repeat: Untrusted Clients Server-Side Storage Cryptographic Sealing Hidden Values Cookies Protecting Data Sidebar: Cookies and JavaScript Cross-Site Scripting (XSS) Why

More information

A Survey on Security and Vulnerabilities of Web Application

A Survey on Security and Vulnerabilities of Web Application A Survey on Security and Vulnerabilities of Web Application Gopal R. Chaudhari, Prof. Madhav V. Vaidya Department of Information Technology, SGGS IE & T, Nanded, Maharashtra, India-431606 Abstract Web

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

WordPress Security Scan Configuration

WordPress Security Scan Configuration WordPress Security Scan Configuration To configure the - WordPress Security Scan - plugin in your WordPress driven Blog, login to WordPress as administrator, by simply entering the url_of_your_website/wp-admin

More information

Web Application Security

Web Application Security Web Application Security Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview Web applications are essential to everything from embedded systems to e-commerce systems. This class looks

More information

Application Security. Petr Křemen. petr.kremen@fel.cvut.cz

Application Security. Petr Křemen. petr.kremen@fel.cvut.cz Application Security Petr Křemen petr.kremen@fel.cvut.cz What is application security? Security is a set of measures that So, what can happen? taken from [7] first half of 2013 Let's focus on application

More information

Web Application Security

Web Application Security Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

APPLICATION SECURITY AND ITS IMPORTANCE

APPLICATION SECURITY AND ITS IMPORTANCE Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

Advanced Security for Systems Engineering VO 01: Web Application Security

Advanced Security for Systems Engineering VO 01: Web Application Security Advanced Security for Systems Engineering VO 01: Web Application Security Stefan Taber, Christian Schanes INSO Industrial Software Institute of Computer Aided Automation Faculty of Informatics TU Wien

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

DIPLOMA IN WEBDEVELOPMENT

DIPLOMA IN WEBDEVELOPMENT DIPLOMA IN WEBDEVELOPMENT Prerequisite skills Basic programming knowledge on C Language or Core Java is must. # Module 1 Basics and introduction to HTML Basic HTML training. Different HTML elements, tags

More information

Institutionen för datavetenskap

Institutionen för datavetenskap Institutionen för datavetenskap Department of Computer and Information Science Final thesis Generating web applications containing XSS and CSRF vulnerabilities by Gustav Ahlberg LIU-IDA/LITH-EX-A--14/054--SE

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection

More information

Points of View. CxO s point of view. Developer s point of view. Attacker s point of view

Points of View. CxO s point of view. Developer s point of view. Attacker s point of view Web App Security 2 CxO s point of view Points of View Measurable security SCAP (Security Content Automation Protocol) Developer s point of view Secure coding/software security CWE (Common Weakness Enumeration)

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Web Application Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Modern threat landscape The majority of modern vulnerabilities are found in web

More information

Still Aren't Doing. Frank Kim

Still Aren't Doing. Frank Kim Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding

More information