Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December
|
|
- Brianna Anderson
- 5 years ago
- Views:
Transcription
1 Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December 1
2 About the Speaker Security Architect Areas of Network and Data Security Architecture Author Secure Coding Field Manual available on Amazon Educator/Mentor/Coach/Consultant: Secure Coding Code Analysis Manual Security Code Reviews Secure Designs and Architecture Principles Programmer understanding of Tests Results 2
3 2013 celebrity photo hack Apple icloud (hack occurring in 2013) Naked celebrity photos 3
4 What is SOP? Same Origin Policy Web Security Model Policy enforced by browser Constrained to origin: protocol, port, hostname h\ps://developer.mozilla.org/en-us/docs/web/security/same-origin_policy 4
5 SOP Protects foreign requests from in your session as long as the foreign request is coming from a different origin. Example: 1) User logged into h\ps://mybank.com 2) Opens tab to vulnerable site which has planted XSS; The XSS injects malicious iframe into user s session in other tab: h\ps://mybank.com 3) SOP stops this a\empt (different hostname, different protocol) 5
6 SOP Caveat SOP is great however, it will NOT protect you against externally referenced images, styles and scripts! External scripts are allowed by SOP! Why? SOP sees does not view these components (js, img, css) as data so allows access to foreign sites and their 6
7 Bypassing SOP Implement any (e.g., Click bu\ons) on the user s behalf Using JSONp, see BlackHat Europe 2014 Talk by Ben Hayak CallBacks Legi@mately used by Google and others to share data Can become the injec@on points for an a\acker Any page on the domain becomes vulnerable 7
8 Defenses & Countermeasures Content Security Policy Secure HTTP Headers HTML5 8
9 What is Content Security Policy? Content Security Policy (CSP) is a whitelist you can define in your web applica@on to authorize the execu@on of scripts Delivered via HTTP Header (configure web server or programma@cally add) Allows whitelis@ng of approved sources of content that browser may load including JavaScript and Cascading Stylesheets Its like a cheap/poor man s version of a Web Applica@on Firewall (WAF) for injec@on-related a\acks 9
10 Why should I care about Content Security Policy? Effec@ve countermeasure to XSS a\acks, which usually lead to CSRF a\acks Protects the DOM, prevents data leakage, protects against AJAX a\acks Protects against externally referenced images, styles and scripts which Same Origin Policy (SOP) does not do Protects against iframe injec@on (i.e., clickjacking) 10
11 Can I see an example of CSP? Example: This CSP specifics that only content from this website is allowed to execute, including externally referenced images, styles and scripts 11
12 Are there cost-efficiencies to be gained by using CSP? YES! CSP protects your web and all subdomains (so long as you specify). This means it will protect areas of your web inadvertently missed by programmers in their techniques. It will protect areas of your web where may reside that are not detected by your code analyzer (e.g., HP It will protect areas of your web inadvertently not tested by web app pen-testers CSP provides techniques that can save money in the following areas: Pen-test costs, including QA and Deployment costs code analyzer development costs related to a\acks (SQLi, iframe, clickjacking, XSS, etc.) 12
13 How do I implement CSP? Several Op@ons Available including the following: 1. IIS Configura@on 2. Apache Configura@on 3. Programma@cally Any programming language providing the ability to set HTTP Response headers can be used Example shown is Java: Full Java Servlet example here: h\ps:// 13
14 What are available in CSP? 14
15 If I implement CSP, will my web page code break? Any inline JS or inline CSS calls would be broken unless you use direc@ve but I recommend against using the direc@ve since it will allow a\acker-controlled scripts to execute on your website. You can use a nonce or hashed-values for inline JS or CSS excep@ons, if you like. Any exis@ng inline JS or inline CSS needs to be externalized to a JS or CSS file and referenced in your web page by using the explicit <script> tags. For example, if you have a block of JS code for Google Analy@cs, you would have to create an external file and reference it like this: <script src="/assets/js/ga.min.js"></script> Also, any inline event handlers like onclick"domystuff();" have to be removed and replaced with addeventlistener() calls instead. 15
16 What does CSP look like from a client browser perspec@ve? 16
17 Which browsers are with CSP headers? Full table here: h\p://caniuse.com/contentsecuritypolicy 17
18 Can I watch a demo to see how CSP works? Yes! 18
19 Are there other HTTP Response Headers available that can protect my web Yes! In to Content-Security-Policy, you may add these securityrelated HTTP Response Headers: HTTP Strict Transport Security To ensure that users of your site must always use HTTPS, add this header. It will even work on old bookmarks, forcing users to instead use HTTPS. HTTP Public Key Pinning To ensure that only YOUR server s TLS digital cer@ficate is authorized for client browsers to trust, add this header. This prevents a\acker-controlled cer@ficates for your server (should the CA be compromised) from being accepted by clients. X-Frame Op;ons To ensure that no malicious iframes are loaded or executed on your website; protects against clickjacking a\ack. X-XSS Protec;on Ensures the use of built-in browser protec@on against XSS a\acks. Sewngs are 0 (disable) and 1 (enable) with a telling the browser to block the execu@on of a script if it detects an a\ack. X-Content-Type Op;ons Provides the direc@ve the sniffing of the mime-type for an uploaded file. By not allowing this sniff to occur, this mi@gates spoofing of the content-type to circumvent whitelis@ng techniques within the applica@on code. 19
20 X-FRAME Header SAMEORIGIN DENY (Recommended) ALLOW-FROM: <explicit domain> h\ps:// List_of_useful_HTTP_headers Protects against Clickjacking of iframes) 20
21 HTML 5 Whitelis@ng Never allow client-side callback func@ons Whitelist callback domains, redirects always on server-side 21
22 References BlackHat 2014 Talk: Same Origin Method (Ben Hayak): h\ps:// Defcon 21 Talk: How to use CSP to stop XSS (Ken Lee): h\ps:// 22
HTTP Security Headers Explained
HTTP Security Headers Explained Scott Sauber Slides at scottsauber.com scottsauber Audience Anyone with a website Agenda What are HTTP Security Headers? Why do they matter? HSTS, XFO, XSS, CSP, CTO, RH,
More informationProtec'ng Java EE Web Apps with Secure HTTP Headers
Protec'ng Java EE Web Apps with Secure HTTP Headers Frank Kim About Consultant, ThinkSec Author, SANS Secure Coding in Java SANS Applica'on Security Curriculum Lead Shout out Thanks to Jason Lam who co-
More informationTop 10 Web Application Vulnerabilities
Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationPattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.
Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Sicurezza Informa1ca, 2015-2016 Department of Electrical and Electronic Engineering University of Cagliari,
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationHow to read security test report?
How to read security test report? Ainārs Galvāns Security Tester Exigen Services Latvia www.exigenservices.lv Defini@ons (wikipedia) Term Threat Vulnerability Informa@on assurance Defini+on A threat is
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationCSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum
ODDITIES Michele Spagnuolo Lukas Weichselbaum ABOUT US Michele Spagnuolo Lukas Weichselbaum Information Security Engineer Information Security Engineer We work in a special focus area of the Google security
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationNoScript, CSP and ABE: When The Browser Is Not Your Enemy
NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationDefense-in-depth techniques. for modern web applications
Defense-in-depth techniques for modern web applications About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Engineer Senior Information Security Engineer We work in a focus area of
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationDissec&ng CSRF A/acks & Defenses. Mike Shema Vaagn Toukharian
Dissec&ng CSRF A/acks & Defenses Mike Shema Vaagn Toukharian Cross Site Request Forgery The confused, session- riding deputy Pros & cons of current countermeasures Improving verifica@on of CSRF tokens
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationWeb Pen Tes)ng. Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012
Web Pen Tes)ng Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012 Exploi)ng Vulnerabili)es Code injec)on Cross site scrip)ng, SQL injec)on, (buffer
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationApplication. Security. on line training. Academy. by Appsec Labs
Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving
More informationOrigin Policy Enforcement in Modern Browsers
Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 1 / 32 Table of
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationBOOSTING THE SECURITY
BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS
More informationCode-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks
More informationContent Security Policy
Content Security Policy And mitigating Cross-site Scripting vulnerabilities Joseph Fields M.Sc Computer Science - December 2016 Introduction HTML and Javascript power billions of websites visited daily
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationBrowser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationW3Conf, November 15 & 16, Brad Scott
The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender @scottstender scott@isecpartners.com The History of Web App Security Attacker
More informationEradicating DNS Rebinding with the Extended Same-Origin Policy
Eradicating DNS Rebinding with the Extended Same-Origin Policy Martin Johns, Sebastian Lekies and Ben Stock USENIX Security August 16th, 2013 Agenda DNS Rebinding The basic attack History repeating HTML5
More informationThe Hacker s Guide to XSS
The Hacker s Guide to XSS Patrycja Wegrzynowicz CTO, Yon Labs/Yonita CodeOne 2018 Copyright: Patrycja Wegrzynowicz About Me 20+ professional experience SoOware engineer, architect, head of sooware R&D
More informationAN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationSo we broke all CSPs. You won't guess what happened next!
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer bitiodine.net rosettaflash.com Recap what happened last year Summary
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationWriting Secure CFML Pete Freitag, Foundeo Inc. foundeo
Writing Secure CFML Pete Freitag, Foundeo Inc. foundeo Who am I? Over 10 years working with ColdFusion Owner of Foundeo Inc a ColdFusion consulting & Products company Author, Blogger, and Twitterer? Today
More informationOctober 08: Introduction to Web Security
October 08: Introduction to Web Security Scribe: Rohan Padhye October 8, 2015 Web security is an important topic because web applications are particularly hard to secure, and are one of the most vulnerable/buggy
More informationObjec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:
Objec&ves Security: Ø Injec&on a6acks Ø Cross-site scrip&ng Ø Insecure direct object reference Group photo Review: Security Why has the Web become such a huge target? How can you protect against security
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More informationWeb Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs
Web Application with AJAX Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar University of Colorado, Colorado Springs CS 526 Advanced Internet and Web Systems Abstract Asynchronous JavaScript and XML or Ajax
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationWeb applica*on security for dynamic
Web applica*on security for dynamic languages zane@etsy.com @zanelackey Who am I? Security Engineering Manager @ Etsy Lead AppSec/NetSec/SecEng teams Formerly @ isec Partners Books/presenta*ons primarily
More informationExtending the browser to secure applications
Extending the browser to secure applications Highlights from W3C WebAppSec Group Deian Stefan Modern web apps have many moving pieces & parties Application code & content itself User provided content (e.g.,
More informationPHP & My SQL Duration-4-6 Months
PHP & My SQL Duration-4-6 Months Overview of the PHP & My SQL Introduction of different Web Technology Working with the web Client / Server Programs Server Communication Sessions Cookies Typed Languages
More informationControl What You Include! Server- Side Protec7on against Third Party Web Tracking. Dolière Francis Somé, Nataliia Bielova, Tamara Rezk Privaski 2017
Control What You Include! Server- Side Protec7on against Third Party Web Tracking Dolière Francis Somé, Nataliia Bielova, Tamara Rezk Privaski 2017 thanks to eprivacy direc7ve 2009 bcc.co.uk emp.bcci.co.uk
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationSichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
More informationOWASP Top David Caissy OWASP Los Angeles Chapter July 2017
OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers
More informationSQL Injec*on. By Robin Gonzalez
SQL Injec*on By Robin Gonzalez Some things that can go wrong Excessive and Unused Privileges Privilege Abuse Input Injec>on Malware Week Audit Trail Other things that can go wrong Storage Media Exposure
More informationCross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security
Cross-Site Request Forgery: The Sleeping Giant Jeremiah Grossman Founder and CTO, WhiteHat Security Cross-Site Request Forgeries (CSRF) 1. Session Riding 2. Client-Side Trojans 3. Confused Deputy 4. Web
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationKnow Your Own Risks: Content Security Policy Report Aggregation and Analysis
SESSION ID: CDS-F03 Know Your Own Risks: Content Security Policy Report Aggregation and Analysis Ksenia Dmitrieva Senior Consultant Cigital, Inc. @KseniaDmitrieva Agenda What is Content Security Policy
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationInformation Security. Gabriel Lawrence Director, IT Security UCSD
Information Security Gabriel Lawrence Director, IT Security UCSD Director of IT Security, UCSD Three Startups (2 still around!) Sun Microsystems (Consulting and JavaSoftware) Secure Internet Applications
More informationDefending Computer Networks Lecture 15: Web Evasions and Client Side A9acks. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 15: Web Evasions and Client Side A9acks Stuart Staniford Adjunct Professor of Computer Science Apologies Logis;cs Assigned Reading h?p://www.thegreycorner.com/2010/01/
More informationBug-Alcoholic Untamed World of Web Vulnerabilities. OWASP AppSec 2010, University of California Irvine, CA, USA September 10, 2010
Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities OWASP AppSec 2010, University of California Irvine, CA, USA September 10, 2010 Aditya K Sood SecNiche Security Labs Sr. Security Practitioner, Armorize
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationWeb Security. New Browser Security Technologies
OWASP AppSec APAC 2013 The OWASP Foundation http://www.owasp.org Web Security New Browser Security Technologies Tobias Gondrom OWASP London OWASP Global Industry Committee Chair of IETF Web Security WG
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationMulti-Post XSRF Web App Exploitation, total pwnage
Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.
More informationCNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2
CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 Finding and Exploiting XSS Vunerabilities Basic Approach Inject this string into every parameter on every
More informationFounded the web application security lab
Robert RSnake Hansen - CEO SecTheory LLC Bespoke Boutique Internet Security Web Application/Browser Security Network/OS Security Advisory capacity to VCs/start-ups We solve tough problems. http://www.sectheory.com/
More informationHTML5 a clear & present danger
HTML5 a clear & present danger Renaud Bidou CTO 1/29/2014 Deny All 2012 1 1/29/2014 Deny All 2013 1 Menu 1. HTML5 new capabilities 2. HTML5 tricks 3. Empowering common threats 4. Hackers dreams come true
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Web Security: Vulnerabilities & Attacks Type 2 Type 1 Type 0 Three Types of XSS Type 2: Persistent or Stored The attack vector is stored at the server Type 1: Reflected The attack
More informationDon't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationSecure Coding and Code Review. Berlin : 2012
Secure Coding and Code Review Berlin : 2012 Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code Top Problems
More informations642 web security computer security adam everspaugh
s642 computer security web security adam everspaugh ace@cs.wisc.edu review memory protections / data execution prevention / address space layout randomization / stack protector Sandboxing / Limit damage
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationWeb Application Development
Web Application Development Produced by David Drohan (ddrohan@wit.ie) Department of Computing & Mathematics Waterford Institute of Technology http://www.wit.ie INTRODUCTION & TERMINOLOGY PART 1 Objec8ves
More informationWEB APPLICATION PENETRATION TESTING VERSION 2
WEB APPLICATION PENETRATION TESTING VERSION 2 The most practical and comprehensive training course on web application pentesting elearnsecurity has been chosen by students in over 140 countries in the
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationHybrid App Security Attack and Defense
标题文本» 正文级别 1 正文级别 2 正文级别 3 正文级别 4» 正文级别 5 Hybrid App Security Attack and Defense HuiYu Wu @ Tencent Security Platform Department About Me Security researcher at Tencent Security Platform Department Focus
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More information