INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
|
|
|
- Kristian Lawson
- 5 years ago
- Views:
Transcription
1 INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING AJIN ABRAHAM SECURITY ENGINEER
2 #WHOAMI Security Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: Blog:
3 AGENDA : WHAT THE TALK IS ABOUT? RASP WHAT THE TALK IS NOT ABOUT? WAF
4 APPSEC CHALLENGES Writing Secure Code is not Easy Most follows agile development strategies Frequent releases and builds Any release can introduce or reintroduce vulnerabilities Problems by design. Ex: Session Hijacking, Credential Stuffing
5 STATE OF WEB FRAMEWORK SECURITY Automatic CSRF Token - Anti CSRF Templates escapes User Input - No XSS Uses ORM - No SQLi You need to use secure APIs or write Code to enable some of these Security Bugs happens when people write bad code.
6 STATE OF WEB FRAMEWORK SECURITY Anti CSRF - Can easily be turned off/miss configurations Templates escapes User Input - Just HTML Escape -> XSS Uses ORM - SQLi is still possible
7 STATE OF WEB FRAMEWORK SECURITY Remote OS Command Execution - No Remote Code Injection - No Server Side Template Injection RCE - No Session Hijacking - No Verb Tampering - No File Upload Restriction - No The list goes on..
8 WE NEED TO PREVENT EXPLOITATION LET S USE WAF
9 CAN A WAF SOLVE THIS? First WAF AppShield in 1999, almost 18 years of existence Quick question : How many of you run a WAF in defence/ protection mode? Most organisations use them, but in monitor mode due high rate false positives. 20% 10% Most WAFs use BLACKLISTS 70% False Negatives False Positive Detection
10 APPLICATION SECURITY RULE OF THUMB Gets bypassed, today or tomorrow
11 WHAT WAF SEES? ATTACK!= VULNERABILITY
12 HOW WAF WORKS The strength of WAF is the blacklist They detect Attacks not Vulnerability WAF has no application context Doesn t know if a vulnerability got exploited inside the app server or not. HTTP REQUEST GET WAF APP SERVER HTTP RESPONSE
13 WAF PROBLEMS How long they keep on building the black lists? WAFs used to downgrade your security. No Perfect Forward Secrecy Can t Support elliptic curves like ECDHE Some started to support with a Reverse Proxy Organisations are moving to PFS (Heartbleed bug) SSL Decryption and Re-encryption Overhead
14 TLS 1.3 COMING SOON.
15 SO WHAT S THE IDEAL PLACE FOR SECURITY? REQUEST APP SERVER CORE RESPONSE SECURITY LAYER APP SERVER
16 We can do much better. It s time to evolve WAF - > SAST -> DAST -> IAST -> RASP Attack Detection & Prevention Vulnerability Detection Precise Vulnerability Detection Attack Detection & Prevention/Neutralization + Precise Vulnerability Detection + Extras
17 RUNTIME APPLICATION SELF DEFENCE Detect both Attacks and Vulnerability Zero Code Modification and Easy Integration No Hardware Requirements Apply defence inside the application Have Code Level insights Fewer False positives Inject Security at Runtime No use of Blacklists
18 TYPES OF RASP Pattern Matching with Blacklist - Old wine in new bottle (Fancy WAF) Dynamic Tainting - Good but Performance over head Virtualisation and Compartmentalisation - Good, but Less Precise, Container oriented and not application oriented, Platform Specific (JVM) Code Instrumentation and Dynamic Whitelist - Good, but specific to Frameworks, Developer deployed
19 FOCUS OF RESEARCH RASP by API Instrumentation and Dynamic Whitelist Securing a vulnerable Python Tornado app with Zero Code change. Other AppSec Challenges Preventing Verb Tampering Preventing Header Injection Code Injection Vulnerabilities File Upload Protection Preventing SQLi Ongoing Research Preventing RCE Preventing Session Hijacking Preventing Stored & Reflected XSS Preventing Layer 7 DDoS Preventing DOM XSS Credential Stuffing
20 RASP BY API INSTRUMENTATION AND DYNAMIC WHITELIST MONKEY PATCHING LEXICAL ANALYSIS CONTEXT DETERMINATION
21 MONKEY PATCHING Also know as Runtime Hooking and Patching of functions/ methods.
22 LEXICAL ANALYSIS AND TOKEN GENERATION A lexical analyzer breaks these syntaxes into a series of tokens, by removing any whitespace or comments in the source code. Lexical analyzer generates error if it sees an invalid token.
23 LEXICAL ANALYSIS AND TOKEN GENERATION INPUT: int value = 100;//value is 100 Normal Lexer SYNTAX TOKEN int KEYWORD value IDENTIFIER = OPERATOR 100 CONSTANT ; SYMBOL Custom Lexer SYNTAX int value TOKEN KEYWORD WHITESPACE IDENTIFIER WHITESPACE = OPERATOR WHITESPACE 100 CONSTANT ; SYMBOL //value is 100 COMMENT
24 CONTEXT DETERMINATION HTML CODE HTML PARSER DOM TREE
25 PREVENTING CODE INJECTION VULNERABILITIES Interpreter cannot distinguish between Code and Data Solve that and you solve the code injection problems
26 PREVENTING CODE INJECTION VULNERABILITIES Preventing SQL Injection Preventing Remote OS Command Execution Preventing Stored & Reflected Cross Site Scripting Preventing DOM XSS
27 SQL INJECTION SELECT * FROM <user_input>
28 SQL INJECTION : HOOK SQL Execution API cursor.execute( SELECT * FROM logs )
29 SQL INJECTION : LEARN SELECT * FROM logs SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING
30 SQL INJECTION : PROTECT SELECT * FROM logs AND DROP TABLE admin SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING WHITESPACE AND KEYWORD WHITESPACE DROP KEYWORD WHITESPACE TABLE KEYWORD WHITESPACE admin STRING
31 SQL INJECTION : PROTECT Rule for Context: SELECT * FROM <user_input> KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING SELECT * FROM logs SELECT * FROM history SELECT * FROM logs AND DROP TABLE admin KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE STRING
32 DEMO
33 REMOTE OS COMMAND INJECTION ping -c 3 <user input>
34 REMOTE OS COMMAND INJECTION : HOOK Command Execution API os.system(ping -c )
35 REMOTE OS COMMAND INJECTION : LEARN ping -c SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE IP_OR_DOMAIN
36 REMOTE OS COMMAND INJECTION : PROTECT ping -c & cat /etc/passwd SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE IP_OR_DOMAIN WHITESPACE & SPLITTER WHITESPACE cat EXECUTABLE WHITESPACE /etc/passwd UNIX_PATH
37 REMOTE OS COMMAND INJECTION : PROTECT Rule for Context: ping -c 3 <user_input> EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN ping -c ping -c 3 google.com ping -c & cat /etc/passwd EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN WHITESPACE SPLITTER WHITESPACE EXECUTABLE WHITESPACE UNIX_PATH
38 DEMO
39 CROSS SITE SCRIPTING <body><h1>hello {{user_input1}} </h1></body> <script> var x= {{user_input2}} ;</script>
40 CROSS SITE SCRIPTING : HOOK Template Rendering API template.render( <body><h1>hello {{user_input1}} </h1></body><script> var x= {{user_input2}} ; </script>, user_input1, user_input2)
41 CROSS SITE SCRIPTING : CONTEXT DETERMINATION <body><h1>hello {{user_input1}} </h1></body><script> var x= {{user_input2}} ; </script> Parsing the DOM Tree HTML_CONTEXT JAVASCRIPT_VALUE_CONTEXT
42 CROSS SITE SCRIPTING : PROTECT <body><h1>hello {{user_input1}} </h1></body> <script> var x= {{user_input2}} ;</script> user_input1 = World user_input2 = Hello World <body><h1>hello World </h1></body> <script> var x= Hello World ;</script>
43 CROSS SITE SCRIPTING : PROTECT user_input1 = <script>alert(0)</script> user_input2 = ;alert(0);//</script> <body><h1>hello <script>alert(0)</ script> </h1></body> <script> var x= \';alert(0);//\x3c/script\x3e ;</ script>
44 DEMO
45 PREVENTING DOM XSS Inject Security into JavaScript Frameworks Common JavaScript Frameworks - jquery, AngularJS, MustacheJS etc DOMPurify - jpurify -
46 OTHER APPSEC CHALLENGES Preventing Verb Tampering Preventing Header Injection File Upload Protection Preventing Path Traversal
47 PREVENTING VERB TAMPERING WAFs blindly blocks TRACE and OPTION Request Hook HTTP Request API Learn the HTTP Verbs and Generate Whitelist Block if not in the list DEMO
48 PREVENTING HEADER INJECTION Unlike WAF we don t have to keep a blacklist of every possible encoded combination of %0a and %0d Hook HTTP Request API Look for %0a,%0d in HTTP Request Headers Block if Present DEMO
49 FILE UPLOAD PROTECTION Classic File Upload Bypass image.jpg.php, image.php3 etc. Hook File/IO API : io.open( /tmp/nice.jpg, 'wb') Learn file extensions to create a whitelist. Block any unknown file extensions io.open( /tmp/nice.py, 'wb') DEMO
50 PREVENTING PATH TRAVERSAL WAF Looks for
51 PREVENTING PATH TRAVERSAL Hook File/IO API: io.open( /read_dir/index.txt, rb') Learn directories and file extensions Block any unknown directories and file extensions io.open( /read_dir/../../etc/passwd, 'rb') DEMO
52 ON GOING RESEARCH Preventing Session Hijacking Preventing Layer 7 DDoS Credential Stuffing
53 THE RASP ADVANTAGES Accurate and Precise in Vulnerability Detection & Prevention Code Level Insight (Line no, Stack trace) Not based on Heuristics - Zero/Negligible False Positives No SSL Decryption and Re-encryption overhead Doesn t Downgrade your Security Preemptive security - Zero Day protection Zero Code Change and easy integration pip install rasp_module import rasp_module
54 BIGGEST ADVANTAGE Now you can deploy it on protection mode
55 CHARACTERISTICS OF AN IDEAL RASP Ideal RASP should have minimal Performance impact Should not introduce vulnerabilities Must not consume PII of users Should not learn the bad stuff Should be a real RASP not a fancy WAF with Blacklist. Minimal Configuration and Easy deployment
56 THAT S ALL FOLKS! Thanks to Zaid Al Hamami, Mike Milner, Steve Williams, Oliver Lavery (Team IMMUNIO inc). Kamaiah, Francis, Bharadwaj, Surendar, Sinu, Vivek (Team Yodlee Security Office - YSO) Due Credits Graphics/Image ajin25@gmail.com
Protect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
Application security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
Application Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
Web Penetration Testing
Web Penetration Testing What is a Website How to hack a Website? Computer with OS and some servers. Apache, MySQL...etc Contains web application. PHP, Python...etc Web application is executed here and
OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
Web Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
Let me secure that for you!
Let me secure that for you! Appsec AU, 9 Sept 2017 Kirk Jackson @kirkj lmstfu.com @LetMeSecureThat This talk is not about RedShield! We are the world's first web application shielding-with-a-service cybersecurity
Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
Security. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
CIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security
Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security OWASP XSS Prevention Cheat Sheet 1,000,000 Page Views! https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet
Secure Coding and Code Review. Berlin : 2012
Secure Coding and Code Review Berlin : 2012 Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code Top Problems
Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
An Introduction to Runtime Application Self-Protection (RASP)
Product Analysis June 2016 An Introduction to Runtime Application Self-Protection (RASP) The Transformational Application Security Technology that Improves Protection and Operations Highly accurate. Easy
Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
GOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
Exploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
haltdos - Web Application Firewall
haltdos - DATASHEET Delivering best-in-class protection for modern enterprise Protect your website against OWASP top-10 & Zero-day vulnerabilities, DDoS attacks, and more... Complete Attack Protection
Lecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
RKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces
Web Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
OWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren
Security in a Mainframe Emulator Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren October 25, 2017 Table of Contents Introduction... 2 About this paper...
CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,
CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2
CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 Finding and Exploiting XSS Vunerabilities Basic Approach Inject this string into every parameter on every
This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
Application Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
EasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
Solutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
DreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
Securing ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
Application vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
Surrogate Dependencies (in
Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25 years AppSec for 13 years Day jobs: Leader OWASP O2 Platform project Application Security Training JBI Training,
Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013
Vulnerabilities help make Web application attacks amongst the leading causes of data breaches +7 Million Exploitable Vulnerabilities challenge organizations today 86% of websites has at least 1 vulnerability
Quick housekeeping Last Two Homeworks Extra Credit for demoing project prototypes Reminder about Project Deadlines/specifics Class on April 12th Resul
CIS192 Python Programming Web Frameworks and Web APIs Harry Smith University of Pennsylvania March 29, 2016 Harry Smith (University of Pennsylvania) CIS 192 March 29, 2016 1 / 25 Quick housekeeping Last
Web Security. Web Programming.
Web Security Web Programming yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
epldt Web Builder Security March 2017
epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication
C1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
Application Security at Scale
Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale AppSec at Scale Delivering Timely Security Solutions / Services to Meet
Saving Time and Costs with Virtual Patching and Legacy Application Modernizing
Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes
Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal
Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal (@debasishm89) About Me Security researcher, currently working in McAfee IPS Vulnerability Research Team. Working in information security
Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.
Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,
An Introduction to the Waratek Application Security Platform
Product Analysis January 2017 An Introduction to the Waratek Application Security Platform The Transformational Application Security Technology that Improves Protection and Operations Highly accurate.
CS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
SECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
WEB APPLICATION SCANNERS. Evaluating Past the Base Case
WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work
String Analysis for the Detection of Web Application Flaws
String Analysis for the Detection of Web Application Flaws Luca Carettoni l.carettoni@securenetwork.it Claudio Merloni c.merloni@securenetwork.it CONFidence 2007 - May 12-13, Kraków, Poland 04/05/07 1
The Way of the Bounty. by David Sopas
The Way of the Bounty by David Sopas (@dsopas) ./whoami Security Consultant for Checkmarx Security Team Leader for Char49 Disclosed more than 50 security advisories Founder of WebSegura.net Love to hack
BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION
BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION Philippe De Ryck NG-BE Conference, December 9 th 2016 https://www.websec.be ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications
WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION
WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION 2 Web application firewalls (WAFs) entered the security market at the turn of the century as web apps became increasingly
THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,
THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU Jeff Williams, CTO @planetlevel CONTRAST SECURITY 291 Lambert Avenue Palo Alto, California 94306 www.contrastsecurity.com ARE YOU
High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
Finding Vulnerabilities in Source Code
Finding Vulnerabilities in Source Code Jason Miller CSCE 813 Fall 2012 Outline Approaches to code review Signatures of common vulnerabilities Language-independent considerations Tools for code browsing
Black Hat Europe 2006
Black Hat Europe 2006 Paraegis Project Round 2: Using Razorwire HTTP proxy to strengthen webapp session handling and reduce attack surface Project Paraegis is: Currently Hosted at: www.anachronic.com/paraegis
SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe
F5 comprehensive protection against application attacks Jakub Sumpich Territory Manager Eastern Europe j.sumpich@f5.com Evolving Security Threat Landscape cookie tampering Identity Extraction DNS Cache
NoSQL: NoInjections or NoSecurity
NoSQL: NoInjections or NoSecurity A Guide to MongoDB Exploitation Stark Riedesel Oct 2016 What is Document Database (NoSQL) Documents = JSON Schema-free Nested documents (No JOINs) BSON for efficiency
Web Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
Evaluation Criteria for Web Application Firewalls
Evaluation Criteria for Web Application Firewalls Ivan Ristić VP Security Research Breach Security 1/31 Introduction Breach Security Global headquarters in Carlsbad, California Web application security
Bypassing Web Application Firewalls
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing
Security Solution. Web Application
Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,
WHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez
The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony
eb Security Software Studio
eb Security Software Studio yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd
Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Why this talk? The techniques are well known, but how about some way of applying ppy them? Commercial tools are
Practical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
Domino Web Server Security
Domino Web Server Security What you don t know can cost you Andrew Pollack, President Northern Collaborative Technologies andrewp@thenorth.com http://www.thenorth.com Special thanks to Howard Greenberg
Web security: an introduction to attack techniques and defense methods
Web security: an introduction to attack techniques and defense methods Mauro Gentile Web Application Security (Elective in Computer Networks) F. d'amore Dept. of Computer, Control, and Management Engineering
Web Application Firewall
Web Application Firewall Take chances with innovation, not security. HaltDos Web Application Firewall offers unmatched security capabilities, customization options and reporting analytics for the most
Some Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
Is Runtime Application Self Protection (RASP) too good to be true?
Is Runtime Application Self Protection (RASP) too good to be true? An introduction to the power of runtime protection: patch, secure, and upgrade your applications without source code changes or downtime
ForeScout CounterACT. Security Policy Templates. Configuration Guide. Version
ForeScout CounterACT Security Policy Templates Version 18.0.1 Table of Contents About Security Policy Templates... 3 Tracking Vulnerable and Infected Endpoints... 3 Requirements... 3 Installation... 4
Advanced Techniques for DDoS Mitigation and Web Application Defense
Advanced Techniques for DDoS Mitigation and Web Application Defense Dr. Andrew Kane, Solutions Architect Giorgio Bonfiglio, Technical Account Manager June 28th, 2017 2017, Amazon Web Services, Inc. or
So we broke all CSPs. You won't guess what happened next!
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer bitiodine.net rosettaflash.com Recap what happened last year Summary
Client Side Security And Testing Tools
OWASP Jakarta Tech Day Meetup 2017 Client Side Security And Testing Tools David Cervigni @ Minded Security Agenda Short Intro Client side threats: Why important/difficult Examples: Dom XSS, HTTP Param
JOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? LET S TALK HTTP SAFE VS. UNSAFE
Securing ArcGIS Server Services An Introduction
2013 Esri International User Conference July 8 12, 2013 San Diego, California Technical Workshop Securing ArcGIS Server Services An Introduction David Cordes & Derek Law Esri - Redlands, CA Agenda Security
Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15
6.148 Backend IV: Authentication, Authorization and Sanitization The Internet is a scary place Security is a big deal! TODAY What is security? How will we try to break your site? Authentication,
VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
Copyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,
An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec, or zane@signalsciences.com @zanelackey Who you ll be heckling today Started out in offense Pentester / researcher at isec Partners / NCC Group
SECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
F5 Application Security. Radovan Gibala Field Systems Engineer
1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007 2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities
Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK
Netsparker is the first false positive free scanner. In this document you can see the details of features, how to use them and how to tweak Netsparker. If you can t find what you are looking for, please
Configuring User Defined Patterns
The allows you to create customized data patterns which can be detected and handled according to the configured security settings. The uses regular expressions (regex) to define data type patterns. Custom
CSRF in the Modern Age
CSRF in the Modern Age Sidestepping the CORS Standard Tanner Prynn @tannerprynn In This Talk The State of CSRF The CORS Standard How Not To Prevent CSRF The Fundamentals of HTTP Without cookies: With cookies: