Some Notes on Web Application Firewalls
|
|
|
- Tyrone Hudson
- 10 years ago
- Views:
Transcription
1 Some Notes on Web Application Firewalls or Why You still Get Owned
2 #whoami Member of Application Security Team, ERNW GmbH Contact: ERNW GmbH Frank Block Breslauer Str Heidelberg ERNW GmbH Breslauer Straße 28 D Heidelberg #2
3 ERNW GmbH Breslauer Straße 28 D Heidelberg #3 #whoami Head of Application Security & Chief Security Officer, ERNW GmbH Contact: ERNW GmbH Michael Thumann Breslauer Str Heidelberg
4 ERNW GmbH Breslauer Straße 28 D Heidelberg #4 Attack Vectors Web Application
5 ERNW GmbH Breslauer Straße 28 D Heidelberg #5 Web Application Attacks
6 ERNW GmbH Breslauer Straße 28 D Heidelberg #6 SQL Injection Example
7 ERNW GmbH Breslauer Straße 28 D Heidelberg #7 What s a WAF Web Application Firewalls
8 ERNW GmbH Breslauer Straße 28 D Heidelberg #8 Web Application Firewalls Basically a filter that controls the traffic between a client and the application Its main purpose is to detect and defend against application layer attacks which could lead to - Data loss - Denial of Service - Web Site Defacement
9 ERNW GmbH Breslauer Straße 28 D Heidelberg #9 Possible reasons for the usage of WAFs Insecure Application with maybe already known vulnerabilities Additional Protection No confidence in own/foreign Software developers
10 ERNW GmbH Breslauer Straße 28 D Heidelberg #10 Web Application Firewalls Detection mechanisms - Negative Detection Model - Positive Detection Model - Additional Mechanisms Possible deployments - Reverse Proxy - Layer 2 Bridge - Network monitor - Server based - Embedded
11 ERNW GmbH Breslauer Straße 28 D Heidelberg #11 Detection Mechanisms Negative Detection Model - Blacklisting approach - Database with known "bad" Strings Positive Detection Model - Whitelisting approach - WAF learns/gets teached "good" Input and rejects all other Input Additional Mechanisms - Time based detection - Anomaly based detection
12 ERNW GmbH Breslauer Straße 28 D Heidelberg #12 WAF deployments Network Monitor Layer 2 Bridge Reverse Proxy
13 ERNW GmbH Breslauer Straße 28 D Heidelberg #13 WAF deployments Server based Embedded Web app
14 ERNW GmbH Breslauer Straße 28 D Heidelberg #14 but... Effort - for the WAF testing/ configuration (and retesting/ configuration on new releases) - concerning the environment adjustment - regarding maintenance/ troubleshooting
15 ERNW GmbH Breslauer Straße 28 D Heidelberg #15 Vulnerabilities that could be mitigated by a WAF
16 ERNW GmbH Breslauer Straße 28 D Heidelberg #16 Fingerprinting Web Application Firewalls
17 WAFs covered in research ModSecurity PHPIDS WebKnight URLScan Web Application Firewall ERNW GmbH Breslauer Straße 28 D Heidelberg #17
18 ERNW GmbH Breslauer Straße 28 D Heidelberg #18 Fingerprinting Phase one: 10 Teststrings Phase two: "Specialties"
19 ERNW GmbH Breslauer Straße 28 D Heidelberg #19 ModSecurity GET /print.php?message=a HTTP/1.1\r\n Host: modsec.waf\r\n User-Agent: libwww\r\n \r\n GET /print.php?message=a HTTP/1.1\r\n Host: modsec.waf\r\n User-Agent: libwww\r\n Accept: a\r\n \r\n
20 ERNW GmbH Breslauer Straße 28 D Heidelberg #20 PHPIDS No global Filtering $BAD_STRING
21 ERNW GmbH Breslauer Straße 28 D Heidelberg #21 WebKnight Status Code: 999 Status Message: No Hacking Server: WWW Server/1.1 WebKnight specific Errorpage %3E
22 ERNW GmbH Breslauer Straße 28 D Heidelberg #22 URLScan GET / HTTP/1.1\r\n Host: webknight.waf:80\r\n User-Agent: Mozilla/5.5 (compatible; MSIE 5.5; Windows NT 5.1) \r\n Accept: */*\r\n If: aaaa\r\n Translate: aaaa\r\n Lock-Token: aaaa\r\n Accept: */*\r\n If: \r\n Translate: \r\n Lock-Token: \r\n
23 ERNW GmbH Breslauer Straße 28 D Heidelberg #23 Web Application Firewall 460 Custom Errorpage The specified URL cannot be found The requested service is temporarily unavailable. It is either overloaded or under maintenance. Please try later. Additional HTML comment:
24 ERNW GmbH Breslauer Straße 28 D Heidelberg #24 Circumvention Web Application Firewalls
25 ERNW GmbH Breslauer Straße 28 D Heidelberg #25 WAF secured J
26 ERNW GmbH Breslauer Straße 28 D Heidelberg #26 SQLi based Circumvention 'or 'a='='a= 'or 'a'='a'-- 'or 1 -- ' --
27 ERNW GmbH Breslauer Straße 28 D Heidelberg #27 But these statements can't be used to extract data, hm? Remember? SELECT count(*) FROM Users WHERE Username = '$NAME' AND Password = '$PASSWORD' Christmas already? UPDATE orders SET dstaddress = '$ADDRESS' WHERE orderid = ' ' Heartland,Hannaford? MasterCard? SELECT owner,cc_num,cc_type FROM customers WHERE owner = '$NAME'
28 ERNW GmbH Breslauer Straße 28 D Heidelberg #28 A note on vendor reactions Regarding a very simple and common SQLi attack string: or a = a J "We are also aware of that issue, but I don't see how we can effectively block this without causing a lot of false positives..."
29 ERNW GmbH Breslauer Straße 28 D Heidelberg #29 XSS filter Circumvention 1. Initial circumvention <input oninput=alert(1)>asd 2. After applying "Tag Filter" <input%0aaaaaaa oninput=location.href=' After applying "URL Filter" <input%0aaaaaaa oninput=location.href='htt'+'p://
30 ERNW GmbH Breslauer Straße 28 D Heidelberg #30 General Circumvention 3 of 4 WAFs seemed to be vulnerable to the usage of some event handlers especially in combination with tags/event handlers introduced in HTML5
31 ERNW GmbH Breslauer Straße 28 D Heidelberg #31 Short current example Web Application Firewalls
32 ERNW GmbH Breslauer Straße 28 D Heidelberg #32 Reasons for a WAF deployment Delay between discovery and fix of a vulnerability Access to application source code is: - limited - impossible
33 ERNW GmbH Breslauer Straße 28 D Heidelberg #33 tsakwaf The Swiss Army Knife for Web Application Firewalls Web Application Firewalls
34 tsakwaf Developed to support the daily work of a web application pentester and to help testing the detection capabilities of a WAF Current version: The Troopers Version J Licensed under the 3-clause BSD license tsakwaf tar.gz ERNW GmbH Breslauer Straße 28 D Heidelberg #34
35 ERNW GmbH Breslauer Straße 28 D Heidelberg #35 Supported functions Encoding XSS Code Generator HPP/HPF Code Generator WAF Fingerprinting
36 ERNW GmbH Breslauer Straße 28 D Heidelberg #36 time for a demo? tsakwaf
37 ERNW GmbH Breslauer Straße 28 D Heidelberg #37 Fingerprinting
38 ERNW GmbH Breslauer Straße 28 D Heidelberg #38 Fingerprinting
39 ERNW GmbH Breslauer Straße 28 D Heidelberg #39 Fingerprinting
40 ERNW GmbH Breslauer Straße 28 D Heidelberg #40 Fingerprinting
41 ERNW GmbH Breslauer Straße 28 D Heidelberg #41 Fingerprinting
42 ERNW GmbH Breslauer Straße 28 D Heidelberg #42 XSS Code Generator
43 ERNW GmbH Breslauer Straße 28 D Heidelberg #43 XSS Code Generator
44 ERNW GmbH Breslauer Straße 28 D Heidelberg #44 Conclusions Identification of a specific WAF is possible Blacklisting - no effective protection WAF vendors are only slowly adding new technologies Focus should lie on secure Programming (SDL)
45 ERNW GmbH Breslauer Straße 28 D Heidelberg #45 Questions?
Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited
Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall
Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte
Web Application Firewall Profiling and Evasion Michael Ritter Cyber Risk Services Deloitte Content 1. Introduction 2. WAF Basics 3. Identifying a WAF 4. WAF detection tools 5. WAF bypassing methods 6.
Web Application Firewalls: What the vendors do NOT want you to know SHAKACON III
Web Application Firewalls: What the vendors do NOT want you to know $ whois WendelGH PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP,
Intrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013
We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,
Guidelines for Web applications protection with dedicated Web Application Firewall
Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security
EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS
EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS SEPTEMBER 2015 MAZIN AHMED [email protected] @MAZEN160 Table of Contents Topic Page Number Abstract 3 Introduction 3 Testing Environment 4 Products
Web Application Firewall Bypassing
Web Application Firewall Bypassing how to defeat the blue team KHALIL BIJJOU CYBER RISK SERVICES DELOITTE 29 th Octobre 2015 STRUCTURE Motivation & Objective Introduction to Web Application Firewalls Bypassing
Data Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
Firewalls P+S Linux Router & Firewall 2013
Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network
NSFOCUS Web Application Firewall White Paper
White Paper NSFOCUS Web Application Firewall White Paper By NSFOCUS White Paper - 2014 NSFOCUS NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect
Playing with Web Application Firewalls
Playing with Web Application Firewalls Who is Wendel? Independent penetration test analyst. Affiliated to Hackaholic team. Over 7 years in the security industry. Discovered vulnerabilities in Webmails,
Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc
Web Application Firewalls Evaluation and Analysis Andreas Karakannas [email protected] George Thessalonikefs [email protected] University of Amsterdam System & Network Engineering MSc
Web Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
Application security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH [email protected] January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH [email protected] January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.
CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape
SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva
SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever Dana Tamir, Product Marketing Manager, Imperva Consider this: In the first half of 2008, SQL injection was the number one attack vector
JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City
JOOMLA SECURITY by Oliver Hummel ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City CONTACT Nicholas Butler 051-393524 089-4278112 [email protected] Contents Introduction 3 Installation
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
Playing with Web Application Firewalls
Playing with Web Application Firewalls DEFCON 16, August 8-10, 2008, Las Vegas, NV, USA Who is Wendel Guglielmetti Henrique? Penetration Test analyst at SecurityLabs - Intruders Tiger Team Security division
Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
Implementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
Where every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
Application Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
Web Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
Java Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
Web Application Firewalls: What the vendors do NOT want you to know. The OWASP Foundation http://www.owasp.org
Web Application Firewalls: What the vendors do NOT want you to know Sandro Gauci EnableSecurity [email protected] nd Wendel G. Henrique Trustwave [email protected] Copyright The OWASP Foundation
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
Still Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
Check list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
ASL IT Security Advanced Web Exploitation Kung Fu V2.0
ASL IT Security Advanced Web Exploitation Kung Fu V2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: There is a lot more in modern day web exploitation than the good old alert( xss ) and union
REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL
REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL AWF Series Web application firewalls provide industry-leading Web application attack protection, ensuring continuity
Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
Protecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
HTTP Response Splitting
The Attack HTTP Response Splitting is a protocol manipulation attack, similar to Parameter Tampering The attack is valid only for applications that use HTTP to exchange data Works just as well with HTTPS
From Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. [email protected] +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
Penta Security 3rd Generation Web Application Firewall No Signature Required. www.gasystems.com.au
Penta Security 3rd Generation Web Application Firewall No Signature Required www.gasystems.com.au 1 1 The Web Presence Demand The Web Still Grows INTERNET USERS 2006 1.2B Internet Users - 18% of 6.5B people
Protecting Against SQLi in Real-Time
The OWASP Foundation http://www.owasp.org Protecting Against SQLi in Real-Time Stuart Hancock [email protected] [email protected] AGENDA SQL injection attacks primary database security
The Web AppSec How-to: The Defenders Toolbox
The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware
Security Assessment of Waratek AppSecurity for Java. Executive Summary
Security Assessment of Waratek AppSecurity for Java Executive Summary ExecutiveSummary Security Assessment of Waratek AppSecurity for Java! Introduction! Between September and November 2014 BCC Risk Advisory
FORBIDDEN - Ethical Hacking Workshop Duration
Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once
WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution
WAFFle: Fingerprinting Filter Rules of Web Application Firewalls
Email: [email protected] Twitter: @seecurity WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Isabell Schmitt, Sebastian Schinzel* Friedrich-Alexander Universität Erlangen-Nürnberg
How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
External Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
How Web Application Security Can Prevent Malicious Attacks
Securing Enterprise Web Applications for Critical Data Protection and PCI-DSS Compliance Selecting the Right Technology is Essential in Guarding Against Malicious Attacks White_Paper As today s organizations
THE OPEN UNIVERSITY OF TANZANIA
THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather
Web Application Firewall (WAF) Guide. Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall
Web Application Firewall (WAF) Guide 2 nd Edition Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall IT SECURITY CENTER, INFORMATION-TECHNOLOGY PROMOTION AGENCY,
Web Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
Cross-Site Scripting
Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer ([email protected]) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
Strategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP [email protected] Introduction About Security PS Application Security Assessments
Web Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) [email protected] Open Web Application Security Project http://www.owasp.org
ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
So happy to be here! Paparazzi over IP. Daniel Mende & Pascal Turbing {dmende pturbing}@ernw.de. www.ernw.de
So happy to be here! Paparazzi over IP Daniel Mende & Pascal Turbing {dmende pturbing}@ernw.de 2/18/2013 ERNW GmbH Carl-Bosch-Str. 4 DE-69115 Heidelberg #2 Who we are Old-school network geeks, working
How To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
Integrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
Adobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
WEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer [email protected] www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
Web Security Threat Report: January April 2007. Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots
Web Security Threat Report: January April 2007 Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots What are we reporting? We are presenting real, live web attack data captured in-the-wild.
Logs and Tactical Defence. Allan Stojanovic David Auclair University of Toronto #include <disclaimer.h>
R A O M Logs and Tactical Defence Allan Stojanovic David Auclair University of Toronto #include Our Environment Six /16 IPv4 networks one /32 IPv6 network (393,204 Ipv4s and 4,294,967,296
ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
XSS Lightsabre techniques. using Hackvertor
XSS Lightsabre techniques using Hackvertor What is Hackvertor? Tag based conversion tool Javascript property checker Javascript/HTML execution DOM browser Saves you writing code Free and no ads! Whoo hoo!
Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS
Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%
CONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez
NETWORK SECURITY Scott Hand Melanie Rich-Wittrig Enrique Jimenez Chapter 2 In Which Firewalls Are Erected, Packets Are Snorted, And Pwnage Denied TOPICS COVERED Host Software Firewalls iptables Network
Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?
Datasheet: Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-ofbreed
Cross Site Scripting in Joomla Acajoom Component
Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011 TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended
End-to-End Application Security from the Cloud
Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed
Security Testing: Step by Step System Audit with Rational Tools. First Presented for:
Security Testing: Step by Step System Audit with Rational Tools First Presented for: The Rational User's Conference Orlando, FL 2002 with: Chris Walters Scott Barber Chief Technology Officer PerfTestPlus,
IndusGuard Web Application Firewall Test Drive User Registration
IndusGuard Web Application Firewall Test Drive User Registration Document Version 1.0 24/06/2015 Confidentiality INDUSFACE HAS PREPARED THIS DOCUMENT FOR INTERNAL PURPOSE. NEITHER THIS DOCUMENT NOR ITS
The Wide World of WAFs
The Wide World of WAFs Ben Feinstein, CISSP GCFA SecureWorks Counter Threat Unit DEFCON 16 August 8, 2008 What s In This Talk? Web Application Firewalls (WAFs) PCI Data Security Standard Requirement 6.6
Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications
Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats
State of Web Application Security
State of Web Application Security Executive Summary Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2011 Ponemon Institute Research
Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by
Concept and Realization of a Security Component in Moodle a project by Andreas Gigli, Lars-Olof Krause, Björn Ludwig, Kai Neumann, Lars Schmidt and Melanie Schwenk 2 Agenda Plugin Installation in Moodle
STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect
STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer
Pentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI
INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI Na przykładzie Junos WebApp Secure Edmund Asare INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations
10 Things Every Web Application Firewall Should Provide Share this ebook
The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security
Hacker Intelligence Initiative, Monthly Trend Report #15
January 2013 Hacker Intelligence Initiative, Monthly Trend Report #15 Lessons Learned From the Yahoo! Hack How SQL Injection Vulnerabilities in Third-Party Code Can Make for Security Cloudy 1. Executive
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Nethemba All About Security Highly experienced certified IT security experts (CISSP, C EH, SCSecA) Core
Web App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
2013 MONITORAPP Co., Ltd.
01 Cloud Computing Overview Intelligent Web Application Firewall For Cloud Infrastructure Introduction 2013 MONITORAPP Co., Ltd. 01 Cloud Computing Overview Cloud-based Web Firewall Overview The new form
David Rook. The Principles of Secure Development. OWASP Ireland Conference, Dublin
David Rook The Principles of Secure Development OWASP Ireland Conference, Dublin if (slide == introduction) System.out.println("I m David Rook"); Security Analyst, Realex Payments, Ireland CISSP, CISA,
Introduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
Detecting (and even preventing) SQL Injection Using the Percona Toolkit and Noinject!
Detecting (and even preventing) SQL Injection Using the Percona Toolkit and Noinject! Justin Swanhart Percona Live, April 2013 INTRODUCTION 2 Introduction 3 Who am I? What do I do? Why am I here? The tools
Web attacks and security: SQL injection and cross-site scripting (XSS)
Web attacks and security: SQL injection and cross-site scripting (XSS) License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike
Enterprise-Grade Security from the Cloud
Datasheet Website Security Enterprise-Grade Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed security
STABLE & SECURE BANK lab writeup. Page 1 of 21
STABLE & SECURE BANK lab writeup 1 of 21 Penetrating an imaginary bank through real present-date security vulnerabilities PENTESTIT, a Russian Information Security company has launched its new, eighth
Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks
EXTENDING ACCESS WHILE ENHANCING CONTROL FOR YOUR ORGANIZATION S DATA LEVERAGE THE POWER OF F5 AND ORACLE TO DELIVER SECURE ACCESS TO APPLICATIONS AND DATABASES Hayri Tarhan, Sr. Manager, Public Sector