COMP9321 Web Application Engineering

Size: px
Start display at page:

Download "COMP9321 Web Application Engineering"

Transcription

1 COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1

2 Assignment 1 Marks on GradeBook Assignment 2 Due: end of Mid Semester Break: Sunday, Oct , 23:59:00 Assignment 3 Released Course Noticeboard 2

3 Introduction to Web Application Security Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc. Sydney, Australia and from the Open Web Application Security Project (OWASP) 3

4 Introduction to Web Application Security Warning The objective of this presentation is to show you common security loopholes appearing in Web applications. However, it is not meant to encourage you to attack web applications. Such actions are both a breach of the law in most countries, and of the CSE policy. Hence, by attempting any of the techniques presented in this lecture, you may be prosecuted by law enforcement and face expulsion from the university. 4

5 Securing your Web Application 5

6 Securing your Web Application: Threats! 6

7 Securing your Web Application: Threats! 7

8 Securing your Web Application: Threats! 8

9 Securing your Web Application: Threats! 9

10 Securing your Web Application: Requirements! 10

11 SQL Injection 11

12 SQL injection: SQL Injection is a code injection technique. used to attack data-driven applications How: a malicious SQL statements are inserted into an entry field for execution. 12

13 SQL injection: SQL Injection is a code injection technique. used to attack data-driven applications How: a malicious SQL statements are inserted into an entry field for execution. 13

14 SQL Injection: What is wrong? 14

15 SQL Injection: What is wrong? 15

16 SQL Injection: What is wrong? Google(comment in sql) 16

17 SQL Injection: What is wrong? 17

18 SQL Injection: Summary! 18

19 SQL Injection: Prevention!! To keep malicious inputs contained, any inputs written to the database need to be encoded. SQL encoding: ' OR 1=1 --' is encoded to \ \'\ OR\ 1\=1\ \-\-' Example: 19

20 SQL Injection: Prevention!! 20

21 Cross Site Scripting (XSS) 21

22 Cross Site Scripting (XSS) Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 22

23 Cross Site Scripting (XSS) Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. 23

24 Cross Site Scripting (XSS) Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. e.g., a combination of URI scheme, hostname, and port number. 24

25 Cross Site Scripting (XSS): What is wrong? 25

26 Cross Site Scripting (XSS): What is wrong? Suppose the victim is given this URL by the attacker ( 26

27 Cross Site Scripting (XSS): What is wrong? Suppose the victim is given this URL by the attacker ( The web page would then be injected with the following script: 27

28 Cross Site Scripting (XSS): Summary! 28

29 Cross Site Scripting (XSS): Summary! What is the worst an attacker can do with JavaScript? Malicious JavaScript has access to all the same objects the rest of the web page has, including access to cookies. JavaScript can read and make arbitrary modifications to the browser s DOM (within the page that JavaScript is running). JavaScript can use XMLHttpRequest to send HTTP requests with arbitrary content to arbitrary destinations. JavaScript in modern browsers can leverage HTML5 APIs such as accessing a user s geolocation, webcam, microphone and even the specific files from the user s file system. 29

30 Cross Site Scripting (XSS): Prevention!! 30

31 Cross Site Scripting (XSS): Prevention!! 31

32 Cross Site Request Forgery (CSRF) 32

33 Cross Site Request Forgery (CSRF) Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts 33

34 Cross Site Request Forgery (CSRF) Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software 34

35 Cross Site Request Forgery (CSRF) Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. 35

36 Cross Site Request Forgery (CSRF) 36

37 Cross Site Request Forgery (CSRF) 37

38 Cross Site Request Forgery (CSRF): Prevention!! A CAPTCHA is a type of challengeresponse test used in computing to determine whether or not the user is human. 38

39 Unvalidated Input 39

40 Unvalidated Input 40

41 Unvalidated Input 41

42 Unvalidated Input: Summary 42

43 Unvalidated Input: Prevention! 43

44 Broken Authentication 44

45 Broken Authentication Google(SHA-1) 45

46 Fixing Authentication: How To?! Google(MITM) 46

47 Fixing Authentication: Salting Passwords! In cryptography, a salt is a random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. e.g. the salt and the password can be concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) can be stored with the salt in a database. 47

48 Fixing Authentication: Salting Passwords! Why add Salt? If each password is simply hashed, identical passwords will have the same hash: There are two drawbacks: 1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large. In probability theory, the birthday problem or birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. See: 48

49 Fixing Authentication: Salting Passwords! Why add Salt? If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks: 1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large. 2. An attacker can use a list of precomputed hashes to break passwords in seconds. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. See: 49

50 Fixing Authentication: Salting Passwords! In order to solve these problems, a salt can be concatenated to the password before the digest operation. A salt is a random number of a fixed length. This salt must be different for each stored entry. It must be stored as clear text next to the hashed password. In this configuration, an attacker must handle a brute force attack on each individual password. The database is now birthday attack/rainbow crack resistant. consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. 50

51 Fixing Authentication: Salting Passwords! 51

52 Fixing Authentication: Salting Passwords! 52

53 Fixing Authentication: Salting Passwords! 53

54 Session Management 54

55 Session Management: Problem or Solution?! 55

56 Session Management: Problem or Solution?! 56

57 Session Management: Problem or Solution?! Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly] 57

58 Transport Layer Security 58

59 Transport Layer Security (e.g. HTTPS) 59

60 Transport Layer Security (e.g. HTTPS) Google(Secure Sockets Layer, SSL) Google(Certification Authority, CA) 60

61 HTTPS: Basics 61

62 HTTPS: Public-Key Cryptography 62

63 HTTPS: Shared-Key Cryptography 63

64 HTTPS: Hashing 64

65 HTTPS: Certificates 65

66 HTTPS: Signatures 66

67 HTTPS: How to? Limitations?! How to? Follow the steps at: 67

68 Example 68

69 Application Layer Security 69

70 References

71 71

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1 Assignment

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

Web Application Security. Srikumar Venugopal Week 8, S2, 2014

Web Application Security. Srikumar Venugopal Week 8, S2, 2014 Web Application Security Srikumar Venugopal Week 8, S2, 2014 Before we start Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc.

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

1 About Web Security. What is application security? So what can happen? see [?]

1 About Web Security. What is application security? So what can happen? see [?] 1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

WHY CSRF WORKS. Implicit authentication by Web browsers

WHY CSRF WORKS. Implicit authentication by Web browsers WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

Common Websites Security Issues. Ziv Perry

Common Websites Security Issues. Ziv Perry Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

Your Turn to Hack the OWASP Top 10!

Your Turn to Hack the OWASP Top 10! OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application

More information

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends

More information

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Threats and Remediation. Terry Labach, IST Security Team Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Advanced Web Technology 10) XSS, CSRF and SQL Injection Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

GOING WHERE NO WAFS HAVE GONE BEFORE

GOING WHERE NO WAFS HAVE GONE BEFORE GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

Robust Defenses for Cross-Site Request Forgery Review

Robust Defenses for Cross-Site Request Forgery Review Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic

More information

Content Security Policy

Content Security Policy About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training

More information

Application Layer Security

Application Layer Security Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

Web Application Whitepaper

Web Application Whitepaper Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,

More information

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007 Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1

More information

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection

More information

Chrome Extension Security Architecture

Chrome Extension Security Architecture Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response

More information

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Computer Security 3e. Dieter Gollmann.  Chapter 18: 1 Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent

More information

SECURITY TESTING. Towards a safer web world

SECURITY TESTING. Towards a safer web world SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September

More information

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -

More information

WEB SECURITY: XSS & CSRF

WEB SECURITY: XSS & CSRF WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often

More information

Information Security CS 526 Topic 11

Information Security CS 526 Topic 11 Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

Sichere Software vom Java-Entwickler

Sichere Software vom Java-Entwickler Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer

More information

RKN 2015 Application Layer Short Summary

RKN 2015 Application Layer Short Summary RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,

More information

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut. OWASP Review Amherst Security Group June 14, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut

More information

CSCE 813 Internet Security Case Study II: XSS

CSCE 813 Internet Security Case Study II: XSS CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that

More information

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically

More information

Information Security CS 526 Topic 8

Information Security CS 526 Topic 8 Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide

More information

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013 Vulnerabilities help make Web application attacks amongst the leading causes of data breaches +7 Million Exploitable Vulnerabilities challenge organizations today 86% of websites has at least 1 vulnerability

More information

Computer Security CS 426 Lecture 41

Computer Security CS 426 Lecture 41 Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general

More information

Web Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext

More information

Welcome to the OWASP TOP 10

Welcome to the OWASP TOP 10 Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA

More information

Tabular Presentation of the Application Software Extended Package for Web Browsers

Tabular Presentation of the Application Software Extended Package for Web Browsers Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16

More information

OWASP TOP 10. By: Ilia

OWASP TOP 10. By: Ilia OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides: Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication

More information

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Charting the Course to Your Success! Securing.Net Web Applications Lifecycle Course Summary Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based

More information

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,

More information

EasyCrypt passes an independent security audit

EasyCrypt passes an independent security audit July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored

More information

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in 1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),

More information

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Document last modified on: 17th September 2009 Date of discovery of vulnerabilities: December

More information

Web Applications Penetration Testing

Web Applications Penetration Testing Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like

More information

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015 INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3

More information

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand

More information

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13 Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access

More information

CSCD 303 Essential Computer Security Fall 2017

CSCD 303 Essential Computer Security Fall 2017 CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the

More information

Secure Frame Communication in Browsers Review

Secure Frame Communication in Browsers Review Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being

More information

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017 OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers

More information

P2_L12 Web Security Page 1

P2_L12 Web Security Page 1 P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction

More information

Security Testing White Paper

Security Testing White Paper Security Testing White Paper Table of Contents 1. Introduction... 3 2. Need for Security Testing... 4 3. Security Testing Framework... 5 3.1 THREAT ANALYSIS... 6 3.1.1 Application Overview... 8 3.1.2 System

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

CSE484 Final Study Guide

CSE484 Final Study Guide CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.

More information

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

Fortify Software Security Content 2017 Update 4 December 15, 2017

Fortify Software Security Content 2017 Update 4 December 15, 2017 Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research

More information

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report. Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

PRACTICAL WEB DEFENSE VERSION 1

PRACTICAL WEB DEFENSE VERSION 1 PRACTICAL WEB DEFENSE VERSION 1 The most practical and comprehensive training course on web application defense elearnsecurity has been chosen by students in over 140 countries in the world and by leading

More information

Aguascalientes Local Chapter. Kickoff

Aguascalientes Local Chapter. Kickoff Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark

More information

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/

More information

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli,

More information

Applications Security

Applications Security Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger

More information

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,

More information

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output

More information

Web Security, Summer Term 2012

Web Security, Summer Term 2012 IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session

More information

Web Security, Summer Term 2012

Web Security, Summer Term 2012 Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session

More information

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability

More information

Development*Process*for*Secure* So2ware

Development*Process*for*Secure* So2ware Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

En#ty Authen#ca#on and Session Management

En#ty Authen#ca#on and Session Management En#ty Authen#ca#on and Session Management Jim Manico @manicode OWASP Volunteer - Global OWASP Board Member - OWASP Cheat- Sheet Series, Top Ten Proac=ve Controls, OWASP Java Encoder and HTML Sani=zer Project

More information

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu Content for today Phase 4 preview From now please pay attention to the security issue of your website This

More information

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam. Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities

More information

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by

More information

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE

More information

Multi-Post XSRF Web App Exploitation, total pwnage

Multi-Post XSRF Web App Exploitation, total pwnage Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.

More information

Application. Security. on line training. Academy. by Appsec Labs

Application. Security. on line training. Academy. by Appsec Labs Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving

More information

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide Dell SonicWALL Secure Mobile Access 8.5 Copyright 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell, the Dell logo,

More information

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018] Development Security Guide Oracle Banking Credit Facilities Process Management Release 14.1.0.0.0 [July] [2018] Security Guide Table of Contents 1. ABOUT THIS MANUAL... 1-1 1.1 INTRODUCTION... 1-1 1.2

More information