DID WE LOSE THE BATTLE FOR A SECURE WEB?
|
|
- Godfrey Hawkins
- 6 years ago
- Views:
Transcription
1 DID WE LOSE THE BATTLE FOR A SECURE WEB? Philippe De Ryck Guest lecture Capita Selecta, UCLL, December 14 th
2 ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications In-house training programs at various companies Hosted web security training courses at DistriNet (KU Leuven) Talks at various developer conferences Slides, videos and blog posts on I have a broad security expertise, with a focus on Web Security PhD in client-side web security Main author of the Primer on client-side web security Part of the organizing committee of SecAppDev.org Week-long course focused on practical security 2
3 3
4 THE WEB STARTED OUT AS SERVER-CENTRIC 4
5 DATA BREACHES ARE SOPHISTICATED ATTACKS 5
6 COMMAND INJECTION IN
7 THE S IN IOT STANDS FOR SECURITY 7
8 THE S IN IOT STANDS FOR SECURITY root xc3511 root vizxv root admin admin admin root root xmhdipc root default root juantech root root support support root (none) admin password root root root user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root root password root 1234 root klv123 Administrator admin service service supervisor supervisor guest guest guest guest admin1 password Administrator ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root admin admin 1234 admin
9 THE S IN IOT STANDS FOR SECURITY 9
10 TRADITIONAL SERVER-SIDE SECURITY PROBLEMS REMAIN 10
11 TRADITIONAL SERVER-SIDE SECURITY PROBLEMS REMAIN 11
12 DATA BREACHES HAVE BECOME EXTREMELY COMMON 12
13 ACCOUNT COMPROMISE THROUGH PASSWORD REUSE java -jar shard-1.5.jar -u -p test :16: [+] Selected single-user single-password mode 10:16: [+] Running 12 modules 10:16: [+] - BitBucket 13
14 NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG 14
15 NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG 15
16 NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG 16
17 NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG 17
18 MEET SAGITTA BRUTALIS GTX 1080 MD5 SHA1 SHA million hashes / second million hashes / second million hashes / second 18
19 IMAGINE WHAT SECURITY IS LIKE IN THE CLIENT-CENTRIC WEB 19
20 HIJACKING VNC SERVERS WITH WEBSOCKETS 20
21 TOTALLY OWNING A BROWSER WITH XSS 21
22 READING S USING XSS VULNERABILITIES 22
23 EXTRACTING MALWARE FROM IMAGES USING JS 23
24 W T F?
25 HOW DO YOU KNOW IF YOU RE COMPROMISED? 25
26 HOW DO YOU KNOW IF YOU RE COMPROMISED? 26
27 GETTING CREDENTIAL STORAGE RIGHT Old common practices no longer suffice It used to be recommended to use a salt and a hashing algorithm But hashing algorithms are designed to be fast Password Test1234 Salt s1l1gqbpvlksiffovmvqwu SHA1 946e48b8c174c730e5111c9e7b5f4261b8f81b9a Modern approaches use password-based key derivation functions Their original goal is to create a key from a password for cryptographic use These functions are slow and resource-hungry, and well suited for credential storage Examples are bcrypt, scrypt and PBKDF2 8x NVIDIA GTX million MD5 / second million SHA1 / second 100 thousand BCRYPT / second 27
28 STORING CREDENTIALS IN NODEJS WITH BCRYPT var pass = "Supahs3cr3t"; var bcrypt = require('bcrypt'); bcrypt.gensalt(10, function(err, salt) { bcrypt.hash(pass, salt, function(err, hash) { // Store hash in your password DB. }); }); // Load hash from DB bcrypt.compare('nots3cr3t', hash, function(err, res) { // res == false }); $2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2 Algorithm 28
29 STORING CREDENTIALS IN NODEJS WITH BCRYPT var pass = "Supahs3cr3t"; var bcrypt = require('bcrypt'); bcrypt.gensalt(10, function(err, salt) { bcrypt.hash(pass, salt, function(err, hash) { // Store hash in your password DB. }); }); // Load hash from DB bcrypt.compare('nots3cr3t', hash, function(err, res) { // res == false }); $2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2 Cost parameter 29
30 STORING CREDENTIALS IN NODEJS WITH BCRYPT var pass = "Supahs3cr3t"; var bcrypt = require('bcrypt'); bcrypt.gensalt(10, function(err, salt) { bcrypt.hash(pass, salt, function(err, hash) { // Store hash in your password DB. }); }); // Load hash from DB bcrypt.compare('nots3cr3t', hash, function(err, res) { // res == false }); $2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2 Salt 30
31 STORING CREDENTIALS IN NODEJS WITH BCRYPT var pass = "Supahs3cr3t"; var bcrypt = require('bcrypt'); bcrypt.gensalt(10, function(err, salt) { bcrypt.hash(pass, salt, function(err, hash) { // Store hash in your password DB. }); }); // Load hash from DB bcrypt.compare('nots3cr3t', hash, function(err, res) { // res == false }); $2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2 Hash 31
32 PASSWORD MANAGERS ARE GAME CHANGERS Password managers address the most important problems with passwords They allow you to generate long and random passwords A unique password for every application avoids password re-use Autofill features help protect against phishing 32
33 A LOOK UNDER THE HOOD OF A PASSWORD MANAGER Sync encrypted file Provide master password Generate key from master password ThereCanBeOnlyOne secret123 pazzword GuessmeJ Decrypt database on device 33
34 BUT MULTI-FACTOR AUTHENTICATION IS EVEN BETTER 34
35 FORTUNATELY, BROWSERS ARE TAKING SECURITY SERIOUSLY Since HTML5, new features are designed with security in mind New features should not create vulnerabilities for legacy applications Security takes precedence over functionality, to build towards a secure web Browsers try to make a security stance By starting to reject or block insecure behavior This is a slow process, with large grace periods to avoid too much breakage Since the Snowden revelations, companies are pushing for security as well Many initiatives backed by large technology companies Trying to convince users to take security seriously as well 35
36 AND IT S WORKING 36
37 WE HAVE BETTER SECURITY TOOLS THAN EVER New technologies give us more defensive capabilities We can finally get rid of XSS once and for all We can defend against attacks which used to be impossible Mainly available as server-driven browser-enforced policies Specified by the server, customized to the application at hand Delivered to the browser, typically in an HTTP header Enforced by the browser, on the client-side context Backwards compatible with older browsers Unknown headers are simply ignored 37
38 SERVER-DRIVEN BROWSER-ENFORCED SECURITY POLICIES First example are cookie security flags Set by the server, enforced by the browser Numerous of these policies have been added to the browser recently HTTP Strict Transport Security HTTP Public Key Pinning X-XSS-Protection Content Security Policy Subresource Integrity Cross-Origin Resource Sharing 38
39 GETTING WEB SECURITY RIGHT The developer s security toolbox is better than ever Browsers are taking security seriously, and so should you Most attacks can be countered with currently available technologies Building secure web applications requires knowledge Knowledge about common threats against web applications Knowledge about countermeasures, how they work and how to use them It is time to take Web Security seriously Protect your applications using the latest technologies Set an example on how to do it right Share your experiences, help others advance as well 39
40 BREAK
41 SECURING THE COMMUNICATION CHANNEL
42 3 VARYING LEVELS OF HTTPS (a) Visit website, browse public pages Login with username and password Consult private information (b) Visit website, browse public pages Login with username and password Consult private information (c) Visit website, browse public pages Login with username and password Consult private information 42
43 WE HEAVILY DEPEND ON (INSECURE) WIFI 43
44 AND THIS HAPPENS TO THE BEST OF US 44
45 EAVESDROPPING IS CHILD S PLAY 45
46 THE COMMUNICATION CHANNEL IS INSECURE But we use HTTPS for sensitive data Sufficient to counter passive eavesdropping attacks But what about active network attacks? Man in the Middle Man on the Side 46
47 3 VARYING LEVELS OF HTTPS (a) Visit website, browse public pages Login with username and password Consult private information (b) Visit website, browse public pages Login with username and password Consult private information (c) Visit website, browse public pages Login with username and password Consult private information 47
48 PREVENTING THE TRANSITION FROM HTTP TO HTTPS 48
49 PREVENTING THE TRANSITION FROM HTTP TO HTTPS Visit Visit Welcome, please log in Login as Philippe Welcome Philippe Rewrite HTTPS to HTTP Login as Philippe Welcome Philippe some-shop.com 49
50 TIME TO MOVE TOWARDS HTTPS Visit Visit Welcome, please log in Login as Philippe Welcome Philippe Login as Philippe Welcome Philippe some-shop.com 50
51 HTTP WEAKENS HTTPS SITES 51
52 SNEAKY SSL STRIPPING ATTACKS PREVENT THE USE OF HTTPS 52
53 SNEAKY SSL STRIPPING ATTACKS PREVENT THE USE OF HTTPS GET GET Moved 200 OK <html> </html> Rewrite HTTPS URLS to HTTP GET OK POST OK <html> </html> Rewrite HTTPS URLS to HTTP POST OK 53
54 STRICT TRANSPORT SECURITY AGAINST SSL STRIPPING Strict Transport Security converts all HTTP requests to HTTPS GET OK <html> </html> Modern browsers support HTTP Strict Transport Security (HSTS) HTTP response header to enable Strict Transport Security When enabled, the browser will not send an HTTP request anymore From version
55 HSTS CAN BE ENABLED WITH A SIMPLE ONE-LINER The policy is controlled by the Strict-Transport-Security header max-age specifies how long the policy should be enforced in seconds Make sure this is long enough to cover two subsequent visits If necessary, the policy can be disabled by setting max-age to 0 Strict-Transport-Security: max-age= The policy can be extended to automatically include subdomains This behavior is controlled by the includesubdomains flag Before enabling this, carefully analyze the services you are running on your domain Strict-Transport-Security: max-age= ; includesubdomains 55
56 HSTS IN ACTION GET OK Strict-Transport-Security: maxage= ; includesubdomains websec.be GET OK Strict-Transport-Security: maxage= ; includesubdomains GET OK Strict-Transport-Security: maxage= ; includesubdomains 56
57 POLICY DETAILS OF HSTS HSTS does not care about TCP ports Policy matches are determined based on the hostname only Port 80 is translated to port 443, but other ports are preserved HSTS policies can only be set over a secure connection The certificate used must be valid HSTS policies set on insecure connections are ignored Disabling HSTS must be done by explicitly setting max-age to 0 Omitting a HSTS header from a HSTS-enabled host does nothing 57
58 ENABLING HSTS IN PRACTICE The step-by-step guide towards enabling HSTS Setup HTTPS correctly Send the Strict-Transport-Security header with a short max-age Test your configuration Increase max-age after successful testing Chrome s net-internals allow inspection dynamic_sts is the HSTS mechanism 58
59 FUN FACT: CHROME HANDLES HSTS AS A REDIRECT 59
60 TIME TO GET ON THE HSTS TRAIN 60
61 BUT HOW DO YOU MAKE THE FIRST CONNECTION OVER HTTPS? GET OK Strict-Transport-Security: maxage= ; includesubdomains websec.be GET OK Strict-Transport-Security: maxage= ; includesubdomains GET OK Strict-Transport-Security: maxage= ; includesubdomains 61
62 HSTS == TOFU 62
63 PRELOADING HSTS INTO THE BROWSER Strict-Transport-Security: max-age= ; includesubdomains; preload 63
64 PRELOADING IS ON THE RISE 64
65 AWESOME SERVICES HELP IMPROVE HTTPS DEPLOYMENTS
66 COMMON MISCONCEPTIONS ABOUT HTTPS HTTPS is bad for performance 66
67 COMMON MISCONCEPTIONS ABOUT HTTPS HTTPS is complex and expensive 67
68 COMMON MISCONCEPTIONS ABOUT HTTPS You can only run one HTTPS site per IP address 68
69 ALL INTERACTIONS SHOULD HAPPEN OVER HTTPS There is a big push for HTTPS on the Web Google uses HTTPS as a ranking signal Active mixed content is blocked in modern desktop browsers The Secure Contexts specification limits use of sensitive features There is plenty of support for easily enabling HTTPS Rate your deployment with the SSL Server Test Get free, automated certificates from Let s Encrypt Improve your HTTPS deployment Enable HTTP Strict Transport Security
70 KNOWLEDGE IS THE KEY TO BUILDING SECURE APPLICATIONS The use of HTTPS and HSTS is only the tip of the iceberg Numerous new security policies have been added in the last 5 years These new technologies require explicit knowledge and action Developers need to know why and how to use them We offer specialized training covering the Web security landscape Hosted training courses and customizable in-house trainings Broad spectrum of topics, such as HTTPS, authentication, authorization, XSS Various Web technologies, including modern MVC frameworks (AngularJS, ) Effective combination of lectures and hands-on sessions 70
71 NOW IT S UP TO YOU Follow Secure Share philippe.deryck@cs.kuleuven.be /in/philippederyck
MODERN WEB APPLICATION DEFENSES
MODERN WEB APPLICATION DEFENSES AGAINST DANGEROUS NETWORK ATTACKS Philippe De Ryck SecAppDev 2017 https://www.websec.be SETUP OF THE HANDS-ON SESSION I have prepared a minimal amount of slides Explain
More information18-642: Security Vulnerabilities
18-642: Security Vulnerabilities 11/20/2017 Security Vulnerabilities Anti-Patterns for vulnerabilities Ignoring vulnerabilities until attacked Assuming vulnerabilities won t be exploited: Unsecure embedded
More informationUnderstanding the Mirai Botnet
Understanding the Mirai Botnet Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi Michalis Kallitsis!, Deepak
More informationBOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION
BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION Philippe De Ryck NG-BE Conference, December 9 th 2016 https://www.websec.be ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationCan HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit
Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1 2 o hai. 3 Why Think About HTTP Strict Transport Security? Roadmap what is HSTS?
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationBOOSTING THE SECURITY
BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS
More informationMoving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends
Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends CTDOTNET February 21, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer
More informationBreaking SSL Why leave to others what you can do yourself?
Breaking SSL Why leave to others what you can do yourself? By Ivan Ristic 1/ 26 Who is Ivan Ristic? 1) ModSecurity (open source web application firewall), 2) Apache 2/ 33 Security (O Reilly, 2005), 3)
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationPass, No Record: An Android Password Manager
Pass, No Record: An Android Password Manager Alex Konradi, Samuel Yeom December 4, 2015 Abstract Pass, No Record is an Android password manager that allows users to securely retrieve passwords from a server
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationHTTP Security Headers Explained
HTTP Security Headers Explained Scott Sauber Slides at scottsauber.com scottsauber Audience Anyone with a website Agenda What are HTTP Security Headers? Why do they matter? HSTS, XFO, XSS, CSP, CTO, RH,
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationHow to Render SSL Useless. Render SSL Useless. By Ivan Ristic 1 / 27
How to Render SSL Useless By Ivan Ristic 1 / 27 Who is Ivan Ristic? 1) ModSecurity (open source web application firewall), 2) Apache 2 / 33 Security (O Reilly, 2005), 3) SSL Labs (research and assessment
More informationHTTPS and the Lock Icon
Web security HTTPS and the Lock Icon Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationThe following topics provide more information on user identity. Establishing User Identity Through Passive Authentication
You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user
More informationSecurity Specification
Security Specification Security Specification Table of contents 1. Overview 2. Zero-knowledge cryptosystem a. The master password b. Secure user authentication c. Host-proof hosting d. Two-factor authentication
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationCOSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS
COSC 301 Network Management Lecture 15: SSL/TLS and HTTPS Zhiyi Huang Computer Science, University of Otago COSC301 Lecture 15: SSL/TLS and HTTPS 1 Today s Focus WWW WWW How to secure web applications?
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationUsing HTTPS - HSTS, TLS, HPKP, CSP and friends
Using HTTPS - HSTS, TLS, HPKP, CSP and friends Boston.NET Architecture Group May 17, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationInstallation and usage of SSL certificates: Your guide to getting it right
Installation and usage of SSL certificates: Your guide to getting it right So, you ve bought your SSL Certificate(s). Buying your certificate is only the first of many steps involved in securing your website.
More informationCS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationPenetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
More informationDon't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions
More informationdjango-secure Documentation
django-secure Documentation Release 0.1.2 Carl Meyer and contributors January 23, 2016 Contents 1 Quickstart 3 1.1 Dependencies............................................... 3 1.2 Installation................................................
More informationIdentity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication
You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationBreaking FIDO Yubico. Are Exploits in There?
Breaking FIDO Are Exploits in There? FIDO U2F (Universal 2nd Factor) Analyzing FIDO U2F Attack and Countermeasures Implementation Considerations Resources 2 User Experience 1. Enter username/pwd 2. Insert
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationNon conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.
Non conventional attacks Some things your security scanner won t find 23/05/2011 Tom Van der Mussele Security Analyst Verizon Business Security Solutions tom.vandermussele@verizonbusiness.com +352691191974
More informationCross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping
More informationFrequently Asked Questions WPA2 Vulnerability (KRACK)
Frequently Asked Questions WPA2 Vulnerability (KRACK) Release Date: October 20, 2017 Document version: 1.0 What is the issue? A research paper disclosed serious vulnerabilities in the WPA and WPA2 key
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationTabular Presentation of the Application Software Extended Package for Web Browsers
Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16
More informationPYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER
PYTHIA SERVICE WHITEPAPER BY VIRGIL SECURITY WHITE PAPER May 21, 2018 CONTENTS Introduction 2 How does Pythia solve these problems? 3 Are there any other solutions? 4 What is Pythia? 4 How does it work?
More informationBackend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15
6.148 Backend IV: Authentication, Authorization and Sanitization The Internet is a scary place Security is a big deal! TODAY What is security? How will we try to break your site? Authentication,
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationIERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu
IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu Content for today Phase 4 preview From now please pay attention to the security issue of your website This
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component
More informationFeaturing. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationCS 161 Computer Security
Popa & Weaver Fall 2016 CS 161 Computer Security 10/4 Passwords 1 Passwords are widely used for authentication, especially on the web. What practices should be used to make passwords as secure as possible?
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationComodo SecureBox Management Console Software Version 1.9
6. Comodo SecureBox Management Console Software Version 1.9 Quick Start Guide Guide Version 1.9.041918 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Comodo SecureBox Management Console
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1 Assignment
More informationDefend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
More informationWeb Security. New Browser Security Technologies
OWASP AppSec APAC 2013 The OWASP Foundation http://www.owasp.org Web Security New Browser Security Technologies Tobias Gondrom OWASP London OWASP Global Industry Committee Chair of IETF Web Security WG
More informationConfiguring Request Authentication and Authorization
CHAPTER 15 Configuring Request Authentication and Authorization Request authentication and authorization is a means to manage employee use of the Internet and restrict access to online content. This chapter
More informationContents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4
Contents SSL-Based Services: HTTPS and FTPS 2 Generating A Certificate 2 Creating A Self-Signed Certificate 3 Obtaining A Signed Certificate 4 Enabling Secure Services 5 SSL/TLS Security Level 5 A Note
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationEn#ty Authen#ca#on and Session Management
En#ty Authen#ca#on and Session Management Jim Manico @manicode OWASP Volunteer - Global OWASP Board Member - OWASP Cheat- Sheet Series, Top Ten Proac=ve Controls, OWASP Java Encoder and HTML Sani=zer Project
More informationSophos UTM Web Application Firewall For: Microsoft Exchange Services
How to configure: Sophos UTM Web Application Firewall For: Microsoft Exchange Services This guide explains how to configure your Sophos UTM 9.3+ to allow access to the relevant Microsoft Exchange services
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationSSL/TLS Deployment Best Practices
Version 1.0 24 Feb 2012 SSL/TLS Deployment Best Practices Ivan Ristic Qualys SSL Labs Introduction SSL/TLS is a deceptively simple technology. It is easy to deploy, and it just works... except that it
More informationThis document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).
Contents Introduction Prerequisites Requirements Components Used Background Information Outbound SSL Decryption Inbound SSL Decryption Configuration for SSL Decryption Outbound SSL decryption (Decrypt
More informationClient Certificates Are Going Away
Client Certificates Are Going Away What now? Garrett Wollman, TIG May 2, 2016 1 Overview of this talk 1. Review of the current situation and how we got here 2. Our response to the deprecation of client
More informationPRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B
PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT 800-63B MOTIVATION DATABASE LEAKAGE ADOBE 152,982,479 Encrypted with 3DES ECB Same password == same ciphertext https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationRecommendations for Device Provisioning Security
Internet Telephony Services Providers Association Recommendations for Device Provisioning Security Version 2 May 2017 Contact: team@itspa.org.uk Contents Summary... 3 Introduction... 3 Risks... 4 Automatic
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationME?
ME? VULNEX: Blog: Twitter: www.vulnex.com www.simonroses.com @simonroses TALK OBJECTIVES Apps are the new Web Peek into current state of Apps security on Markets Bugs will be revealed but not the victims
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationIntroduction to SSL. Copyright 2005 by Sericon Technology Inc.
Introduction to SSL The cornerstone of e-commerce is a Web site s ability to prevent eavesdropping on data transmitted to and from its site. Without this, consumers would justifiably be afraid to enter
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More information