Detection of Logic Flaws in Web Applications
|
|
- Joan Lindsey
- 6 years ago
- Views:
Transcription
1 Detection of Logic Flaws in Web Applications Davide Balzarotti Giancarlo Pellegrino
2 Distributed, Service-oriented, Web-based applications Seller Inc. Bank Inc. U S P Order item I Transfer value(i) to S Shipping in 2 days 2
3 Distributed, Service-oriented, Web-based applications Seller Inc. Bank Inc. U S P Order item I Transfer value(i) to S Shipping in 2 days 3
4 Distributed, Service-oriented, Web-based applications Buyer Inc. Seller Inc. Bank Inc. U IdP AS S P Order item I Log U in to S Grant U the access to S Transfer value(i) to S Log U in to P Grant U the access for paying I Shipping in 2 days 4
5 Distributed, Service-oriented, Web-based applications Buyer Inc. Seller Inc. Bank Inc. U IdP AS S P Order item I Log U in to S Grant U the access to S Transfer value(i) to S Log U in to P Grant U the access for paying I Shipping in 2 days 5
6 Security Risks Buyer Inc. Seller Inc. Bank Inc. U Log U in to S IdP AS S P Order item I Impersonate U Grant U the access to S Order Ferrari Transfer value(i) to S Transfer 0.00 Log U in to P Grant U the access for paying I Shipping in 2 days 6
7 Threats to Business Applications Increased attack surface: monolothic and centralized n-tier and distributed over the Web In 2012: 92% of the attacks from external attackers +33% of web-attacks from 2011 Web-attacks costed in avg >$1M per organization A large number of techniques exist to test web applications for the presence of several classes of vulnerabilities SQL injection Parameter pollution 7
8 Logic Vulnerabilities Still lack a formal definition Design flaws, business logic errors, Weaknesses [ ] that commonly allow attackers to manipulate the business logic of an application. CWE Database Mainly caused by insufficient validation of the workflow and/or data flow of the application Detecting logic vulnerabilities requires a model of the application logic Logic Vulnerabilities can exhibit patterns, e.g. Information disclosure Authentication bypass 8
9 The Rise of Logic Vulnerabilities Poorly studied Increasing Importance: Improper authentication overtook XSS in OWASP 2013 Top10 Logic flaws 2nd security risk in 2013 according to TrustWave Number of CVE entries associated to logic flaws over the years is increasing 9
10 State of the Art Yes Formal Model No Source code Yes No White-box testing [BalzarottiCCS07, FelmetsgerUSENIX10,...] Scalability issues Not applicable for business applications for which source code is not available 10
11 State of the Art Yes Formal Model No Source code Yes No White-box testing Design Verification via Model Checking [LoweTACAS96, MitchellUSENIX98, ArmandoCSF07,...] Attacks discovered by the model checker are only valid at model-level Attack interpretation and execution against implementations is done manually 11
12 State of the Art Yes Formal Model No Source code Yes No White-box testing Design Verification via Model Checking Black-box Security Testing [DoupèDIMVA10, WangS&P11, WangS&P12] Mostly based on crawlers and fuzzers Still unable to automatically detect logic flaws The entire testing is mainly done manually 12
13 State of the Art Yes Formal Model No Automated tools Source code Yes No Manual inspection 13
14 Bridging the Gap From the Model Checking side Requires abstract, simplified (but precise) models of the application/protocol Flaws in the model needs to be manually verified in the real system From the System Security Testing side Requires a real deployment of the application/protocol Without a model, it is hard to detect logic flaws 14
15 Bridging the Gap From the Model Checking side Requires abstract, simplified (but precise) models of the application/protocol Flaws in the model needs to be manually verified in the real system From the System Security Testing side Requires a real deployment of the application/protocol Without a model, it is hard to detect logic flaws 15
16 Manual Testing Understand the web application Intended workflow and data flow between pages Model how the application is supposed to work Design tests that try unconventional behaviors On the worflow plane (e.g., re-orded steps) On the data plane (e.g., replay tokens) Run tests Observe the results and identify vulnerabilities 16
17 Overview of the Approach [NDSS14] Extraction 17
18 Model Inference Navigation graph Extraction 18
19 Model Inference 19
20 Behavioral Patterns Extraction Extraction 20
21 Workflow Traces: Navigation Graph: 21
22 Workflow Traces: Navigation Graph: TrWP : Trace Waypoints St : Singleton Nodes : Multi-step Operations Rp : Repeatable Operations MWP : Model Waypoints 22
23 Data Flow Trace 1: <HTML> <a href= /view.php?tid=23 > [ ] Trace 2: <HTML> <a href= /add.php?tid=6 > [ ] <HTML> <a href= /add.php?tid=23 > [ ] <HTML> <a href= /checkout > [ ] <HTML> <a href= /checkout > [ ] 23
24 1 2 3 Data Flow Trace 1: <HTML> <a href= /view.php?tid=23 > [ ] Client Generated <HTML> <a href= /add.php?tid=23 > [ ] Server Generated <HTML> <a href= /checkout > [ ] 24
25 Data Flow Trace 1: <HTML> <a href= /view.php?tid=23 > [ ] Trace 2: <HTML> <a href= /add.php?tid=6 > [ ] <HTML> <a href= /add.php?tid=23 > [ ] <HTML> <a href= /checkout > [ ] <HTML> <a href= /checkout > [ ] 25
26 Data Propagation Chains 26
27 Test Case Generation Extraction 27
28 Attack Pattern-based Test Case Generation 28
29 Attack Pattern-based Test Case Generation 29
30 Test Case Execution and Oracle 30
31 Test Case Execution and Oracle LTL Security Property: 31 31
32 Oracle HTTP conversation Events extraction App. logic checker Verdict store/login <HTML> <a href= /view?id=23 > Login yes store/view?id=23 <HTML> <a href= /add?id=23 > View 23 π? = ϕ store.com/add?id=23 no <HTML> <a href= /checkout > Add 23
33 Case Study: Shopping Cart Web Applications Shopping Cart Web Apps y Bu Customers Cashier-as-a-Service Pa y (former Payment Gateways) 33
34 Excerpt of Results Applications CaaS # Test Cases # TC Exec. Violations # Bugs # Vulns AbanteCart Std Magento Exp Std OpenCart Exp Std oscommerce Exp Std PrestaShop Exp TomatoCart Exp Std CS-Cart Exp Std Total
35 Vulnerabilities Application Popularity Shop for free AbanteCart 21,200 x Magento 3,130,000 Pay less No agreement on price OpenCart 9,710,000 x x oscommerce 80,500 x x PrestaShop 650,000 Session Fixation TomatoCart 119,000 x x x x CS-Cart 260,000 x 35
36 oscommerce and AbanteCart: Shopping for Free 36
37 Security Testing Model Checking Passive model inference Extraction of workflow and data flow patterns Attack pattern-based test case generation Assessment of real-world web applications Detection of 10 critical vulnerabilities that affect millions of websites 37
38 Missing Pieces Replace attack patterns with Model Checking Our models are still too complex We need a good attacker model for the Web The oracle needs to be provided by the analyst Explore inference techniques to generate logic invariants Extend the technique to other: classes of vulnerabilities (e.g., improper authentication) classes of applications (e.g., online banking, travel booking, conference systems,...) 38
Toward Black-box Detection of Logic Flaws in Web Applications
Toward Black-box Detection of Logic laws in Web Applications Giancarlo Pellegrino gpellegrino@deeds.informatik.tu-darmstadt.de Davide Balzarotti davide.balzarotti@eurecom.fr San Diego, 25/02/2014 1 Agenda
More informationLogic Vulnerabilities in ecommerce Web Applications
Logic Vulnerabilities in ecommerce Web Applications Giancarlo Pellegrino, Ph.D. student giancarlo.pellegrino@{eurecom.fr, sap.com} OWASP EU Tour 2013 Eurecom, Sophia-Antipolis France About me PhD student
More informationAegis: Automatic Enforcement of Security Policies in Workflow-driven Web Applications
Aegis: Automatic Enforcement of Security Policies in Workflow-driven Web Applications Luca Compagna 2, Daniel Ricardo dos Santos 1,2,3, Serena Elisa Ponta 2, Silvio Ranise 1 1 Fondazione Bruno Kessler
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationMBFuzzer - MITM Fuzzing for Mobile Applications
MBFuzzer - MITM Fuzzing for Mobile Applications Fatih Özavcı Mentor of MBFuzer @ yakindanegitim.org fatih.ozavci at gamasec.net gamasec.net/fozavci Scope Yakindan Egitim Project Security Vulnerabilities
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationAutomated Discovery of Parameter Pollution Vulnerabilities in Web Applications
Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda NDSS 2011 The Web as We Know It 2 Has evolved from
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationWebomania Solutions Pvt. Ltd Categories of E-commerce Building Websites:
What is an E-commerce Script? When it comes to starting your own e-commerce business, there are many aspects to take into consideration. One of the most important points is which platform to use to power
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationNotes From The field
Notes From The field tools and usage experiences Jarkko Holappa Antti Laulajainen Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License.
More informationSecurity Testing. John Slankas
Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security What is Security Testing? Validate security controls operate as expected What
More informationMagento 2 Vendor Split Cart Addon - User Guide
by CedCommerce Docs - Products User Guides 1 / 11 1. Overview... 3 2. Vendor Split Cart Configuration... 3 3. Front-End View... 4 2 / 11 1. Overview Vendor Split Cart Addon is an add-on of CedCommerce
More informationDefect Based Approach using Defect Taxonomy. Chhavi Raj Dosaj
Defect Based Approach using Defect Taxonomy Chhavi Raj Dosaj Defect Based Testing Dynamic Testing Techniques White-box Black-box Experience based Defect based Defect Based Testing In defect based testing
More informationApplication Security Approach
Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..
More informationSwaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications
Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna Department of Computer Science, University
More informationWeb Application Security Statistics Project 2007
Web Application Security Statistics Project 2007 Purpose The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationSECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS
SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationExpanding Human Interactions for In-Depth Testing of Web Applications
Expanding Human Interactions for In-Depth Testing of Web Applications Sean McAllister 1, Engin Kirda 2, and Christopher Kruegel 3 1 Secure Systems Lab, Technical University Vienna, Austria sean@seclab.tuwien.ac.at
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationDefend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
More informationME?
ME? VULNEX: Blog: Twitter: www.vulnex.com www.simonroses.com @simonroses TALK OBJECTIVES Apps are the new Web Peek into current state of Apps security on Markets Bugs will be revealed but not the victims
More informationWEB APPLICATION SCANNERS. Evaluating Past the Base Case
WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work
More informationSteps A. Identify version number B. Access configuration page C. Basic settings D. Advance settings E. Front end experience settings F.
! Steps A. Identify version number B. Access configuration page C. Basic settings D. Advance settings E. Front end experience settings F. Save and complete! A. Identify version number A.1. Log in to Admin
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationDetection of logic flaws in multi-party business applications via security testing
Detection of logic flaws in multi-party business applications via security testing Giancarlo Pellegrino To cite this version: Giancarlo Pellegrino. Detection of logic flaws in multi-party business applications
More informationOPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES
OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing DON T GUESS. TEST. Trustwave Managed Security Testing reveals your vulnerabilities and alerts you to the consequences of exploitation. If you re concerned about cyberattacks
More informationOWASP March 19, The OWASP Foundation Secure By Design
Secure By Design March 19, 2014 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More informationDefying Logic. Theory, Design, and Implementation of Complex Systems for Testing Application Logic. Rafal Los, Prajakta Jagdale
Defying Logic Theory, Design, and Implementation of Complex Systems for Testing Application Logic Rafal Los, Prajakta Jagdale HP Software & Solutions Background The testing of applications for security
More informationOpenID Security Analysis and Evaluation
University of British Columbia OpenID Security Analysis and Evaluation San-Tsai Sun, Kirstie Hawkey, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (LERSSE) University
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationApplication Architectures for Critical Data Isolation. Zhenkai Liang
Application Architectures for Critical Data Isolation Zhenkai Liang 1 Computing Platform in Cloud Era User access control Same Origin Policy App Permissions 2 New Security Challenges Heterogeneous system
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationThe Business Case for Security in the SDLC
The Business Case for Security in the SDLC Make Security Part of your Application Quality Program Otherwise, Development Teams Don t View it is Part of their Job The notion of application quality, which
More informationReflected XSS Cross-Site Request Forgery Other Attacks
Reflected XSS Cross-Site Request Forgery Other Attacks CS 166: Introduction to Computer Systems Security 2/21/18 XSS, CSRF, Other Attacks 1 Reflected XSS 2/21/18 XSS, CSRF, Other Attacks 2 Recap of Persistent
More informationAndrew van der Stock OWASP Foundation
Andrew van der Stock is among the many contributors to the OWASP project over the years. Andrew has presented at many conferences, including BlackHat USA, linux.conf.au, and AusCERT, and is a leading Australian
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationDe-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!
De-risk Your Applications SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY! With the exponential increase in Web, Mobile, Cloud and IoT applications, the security risks and challenges in
More informationDeveloping Secure Systems. Associate Professor
Developing Secure Systems Introduction Aug 27, 2014 James Joshi, Associate Professor Contact t James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: jjoshi@mail.sis.pitt.edu Web: http://www.sis.pitt.edu/~jjoshi/courses/is2620/fall14/
More informationVULNERABILITY STATISTICS FOR E-BANKING SYSTEMS ( ) WHITE PAPER
E-BANKING SYSTEMS VULNERABILITY STATISTICS FOR E-BANKING SYSTEMS (2011 2012) WHITE PAPER Page 1 CONTENTS Executive Summary 3 1. Source Data & Methodology 4 2. Overall Results 6 2.1. The Most Common Vulnerabilities
More informationjava -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar
Training: An Introduction to Burp Suite Part One By Mike Sheward Burp suite provides a solid platform for launching a web application security assessment. In this guide we re going to introduce the features
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationUsing Threat Modeling To Find Design Flaws
Using Threat Modeling To Find Design Flaws Introduction Jim DelGrosso Run Cigital's Architecture Analysis practice 20+ years in software development in many different domains ~15 years focusing on software
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationVulnerability Discovery with Attack Injection
Vulnerability Discovery with Attack Injection IEEE Transactions on Software Engineering (2010) Joa o Antunes, Nuno Neves, Miguel Correia, Paulo Verissimo,and Rui Neves Park, Ji Hun 2010.08.17 Introduction
More informationVulnerability & Attack Injection for Web Applications
Vulnerability & Attack Injection for Web Applications José Fonseca Marco Vieira Henrique Madeira DSN, Estoril, Portugal, 30/06/2009 University of Coimbra, Portugal Presentation Outline Research problem
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationBridge Course On Software Testing
G. PULLAIAH COLLEGE OF ENGINEERING AND TECHNOLOGY Accredited by NAAC with A Grade of UGC, Approved by AICTE, New Delhi Permanently Affiliated to JNTUA, Ananthapuramu (Recognized by UGC under 2(f) and 12(B)
More informationWeb Applications Penetration Testing
Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationTaking White Hats to the Laundry: How to Strengthen Testing in Common Criteria
Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria Apostol Vassilev, Principal Consultant September 23,2009. Product Testing in Common Criteria Product Testing in Common Criteria
More informationRisk Analysis and Measurement with CWRAF
Risk Analysis and Measurement with CWRAF - Common Weakness Risk Analysis Framework - April 4, 2012 Making Security Measurable (MSM) Software Assurance Enterprise Security Management Threat Management Design
More informationAn analysis of security in a web application development process
An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationMWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS
Quit MWR InfoSecurity Advisory Elastic Path Administrative Session Hijacking through Embedded XSS 26 th April 2007 2007-04-26 1 of 7 INDEX 1 Detailed Vulnerability description...4 1.1 Introduction...4
More informationOrchestration vs Choreography
Orchestration vs Choreography u In many cases, there is no unique point of invocation for the services n In these cases, we say that the system is a choreography n Let starts with an example: w Consider
More informationSECURITY TRENDS & VULNERABILITIES REVIEW FINANCIAL SYSTEMS
SECURITY TRENDS & VULNERABILITIES REVIEW FINANCIAL SYSTEMS 2017 CONTENTS Introduction...3 Executive summary...3 1. Research data...5 2. Protection flaws...6 2.1. Overall statistics...6 2.2. Comparison
More informationV Conference on Application Security and Modern Technologies
V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2
More informationCAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR
PDF NESSUS VULNERABILITY SCANNER - BASICS - SECURITYLEARN CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR 1 / 6 2 / 6 3 / 6 website vulnerability scanner pdf Basics vulnerability scanning with NESSUS...
More informationNAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications
NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and V.N. Venkatakrishnan University of Illinois at Chicago 1 Web Applications
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationWeb Gate Keeper: Detecting Encroachment in Multi-tier Web Application
Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application Sanaz Jafari Prof.Dr.Suhas H. Patil (GUIDE) ABSTRACT The Internet services and different applications become vital part of every person
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationipay88 PLUG-IN USER GUIDE
support@simicart.com Phone: 084.4.3217.1357 ipay88 PLUG-IN USER GUIDE Table of Contents 1. INTRODUCTION... 3 2. HOW TO INSTALL... 4 3. HOW TO CONFIGURE... 5 4. HOW TO USE ipay88... 8 2 1. INTRODUCTION
More informationIntroduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well
Simplifying Application Security and Compliance with the OWASP Top 10 AN EXECUTIVE PERSPECTIVE Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within
More informationIEEE Sec Dev Conference
IEEE Sec Dev Conference #23, Improving Attention to Security in Software Design with Analytics and Cognitive Techniques Jim Whitmore (former) IBM Distinguished Engineer Carlisle, PA jjwhitmore@ieee.org
More informationCase Study Ecommerce Store For Selling Home Fabrics Online
Case Study Ecommerce Store For Selling Home Fabrics Online www.brainvire.com 2013 Brainvire Infotech Pvt. Ltd Page 1 of 1 Client Requirement Client is a reputed home fabric dealer in the United States
More informationConnecting VirtueMart To PayPal (Live)
Connecting VirtueMart To PayPal (Live) After testing is complete in the PayPal Sandbox and you are satisfied all is well, then its time to disconnect VirtueMart from the PayPal Sandbox and connect Virtuemart
More informationFeaturing. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
More informationBUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:
BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE: 15 Questions to Ask Yourself and Your DAST Vendor > An Introduction to the AppSec Market Page 3 Dynamic Application Security Testing Requirements Page
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationCloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic
Cloudy with a chance of hack November, 2010 Lars Ewe CTO / VP of Eng. Cenzic lars@cenzic.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationUnit Level Secure by Design Approach
Unit Level Secure by Design Approach Abstract Authors: Vasantharaju MS & Joshua Cajetan Rebelo Vasantharaju_MS@McAfee.com Joshua.Rebelo@Siemens.com With cyber-attacks on the rise and high-profile breaches
More informationOWASP Application Security Verification Standard (ASVS) Web Application Edition OWASP 03/09. The OWASP Foundation
OWASP Application Security Verification Standard (ASVS) Web Application Edition Mike Boberski (Booz Allen Hamilton) boberski_michael@bah.com OWASP 03/09 Jeff Williams (Aspect Security) jeff.williams@aspectsecurity.com
More informationFacebook API Breach. Jake Williams Rendition Infosec
Facebook API Breach Jake Williams (@MalwareJake) Rendition Infosec www.rsec.us @RenditionSec Facebook View As Facebook allows users/developers to see what a profile page looks like from another user s
More informationOverview of Web Application Security and Setup
Overview of Web Application Security and Setup Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security
More information