SlideShare ist ein Scribd-Unternehmen logo

Web App Security Techniques for Developers

Tuenti
Tuenti

The document discusses web application security and summarizes the top 10 security issues according to OWASP (Open Web Application Security Project). It provides details on each issue, including examples, prevalence, impact, and recommendations for prevention. The top issues are injection, XSS, broken authentication and session management, insecure direct object references, CSRF, security misconfiguration, failure to restrict URL access, unvalidated redirects, insecure cryptographic storage, and insufficient transport layer protection.

Technologie
1 von 78
Downloaden Sie, um offline zu lesen
Web Application Security Guillermo Pérez bisho@tuenti.com BE arch & Security Lead Eng. bcndevcon 2011
Things to deal with... in web app security
Web App security ● Anonymous attackers ● Worldwide access ● Shared environment for all users ● Easy distribution, profitable ● On top of all other components security: ○ Network security ○ OS security ○ Server software security ○ Social Engineering ○ Even more! browsers, plugins, virus, user computer security, shared computers, open wifis...
How to achieve it?
Web App security Humans (developers) are the bigger risk Give tools, frameworks & policies so no developer has to ever think how to secure up things. Should be clear and the easiest path. But there is no perfect security...
Top risks?
Top 10 security issues in webapps From OWASP (risks != frequency) 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
1. Injection flaws Trick services to execute unintended commands to gain control or access unauthorized data. ● Several types: ○ SQL ○ OS execution ○ LDAP ○ XPath ○ NoSQL ○ uploads
1. Injection flaws ● Explotability: EASY ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ Keep untrusted data separate from commands ● How: ○ Use safe, parametrized apis vs writting code to be executed by interpreter. ○ Escape special chars depending on interpreter. ○ Data cast, whitelist input validation.
1. Injection flaws: SQL ● http://example.com/?id=' or '1'='1 ● Explicit cast, escaping IN-PLACE ○ mysqli_escape_string() ○ ... ● Use prepared statements ○ Provides data separation ○ Client-side implementations (PDO) ○ SELECT * FROM table where id=? ● Use safe apis for query generation ○ $mysqlService->select($table, $pk, $fields, $where...) ● Safe ORM framework ○ $storage->read($keys);
1. Injection flaws: OS ● Don't use OS execution :) ● Escape ○ escapeshellarg
1. Injection flaws: uploads ● Don't put them on public folder ● Don't use user-provided data for names ● Whitelist extensions ● Validate content ● Store separately from app (DB, separate servers) ● Ensure write permissions are the minimum possible
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
2. XSS Trick services to return browser-executable code to user/s. ● Several classifications: ○ Breaking context vs sub-context ○ Persistant vs non-persistent ○ Traditional vs DOM
2. XSS ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Escape untrusted data depending on context ○ HTTP-Only Cookie mitigation is useless ● How: ○ Escape everything (even safe vars) ○ Escape in TEMPLATES (context aware) ○ Other (URL params) in specialized safe apis ○ Unit test
2. XSS: Classification by context ● Breaking context: ○ <a href="?id<?=$_GET['id']?>"> ○ "<script> ... ○ Easy to detect & test ■ Unit-test templates with all injections for all vars and validate html ● Non breaking context: ○ <a href="<?=$_GET['url']?>"> ○ javascript: ... ○ HARD TO DETECT
2. XSS: Classification by persistance ● Persistant ○ Data gets stored in DB ○ Users will be hit by regular navigation ○ Easier to test (templates) ● Non persistant ○ A request with some params returns XSS ○ Users need to be trick to navigate into the malicious link ○ More frequent (No results for 'blah') ○ Somewhat harder to test (cover error messages, non-template based responses)
2. XSS: Classification by mode ● Traditional ○ Just by exploiting browser parsing ○ Easy to test ● DOM ○ Cheating on JS ■ data from server injected in DOM ● Use innerText ● Do not compose html in JS ■ parsing data from uri, forms as 'safe' ○ Pretty hard to test. Avoid missuse, provide safe apis.
2. XSS @tuenti ● Escape on templates ● Escape everything, even what doesn't need to be escaped: ○ <?=View::escape_unsafe($html)?> ● Link generation framework ● Tests for templates, controllers
2. XSS: HTML ● Never put untrusted data in: ○ <script> contents ○ HTML comments ○ tag/attribute names ○ <style> contents ● Contexts: Content, attributes, url params, urls, js... ● Rich formating ○ Use alternative markup lang ■ Markdown ■ Textile ○ Filter HTML (white listing, carefull!!!)
2. XSS: JS ● Encode with xNNN (" might break HTML that is parsed before) ● Prefer reading values from dom ● URL pieces are not safe ● Beware of double context: setInterval('...'), eval()
2. XSS: JSON ● Easy to escape (single context) ● Can put the load on the browser (harder to test) ● Avoid mixing contexts (json on html, or json with/for html) ● Eval json as js can trigger js execution ○ Safe, full json encoding in server (never use half- baked json templates!!!) ○ Use the slow json-parse.js vs json.js regexp validation ● Be aware of context. content-type!
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
3. Auth & Session Attack authentication and sessions to gain control over an account. ● Passwords ● Session issues
3. Auth & Session ● Explotability: AVERAGE ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ SSL, good session handling, detect auth brute force, avoid plain text passwords, strong password recovery, user sessions control (logout, history, close all), detect anomalous login patterns...
3. Auth & Session ● Passwords ○ Use SSL or digest auth ○ Enforce good passwords, rotation ○ Store passwords securely (constant time salted hashes) ○ fight phising (easy URL, educate users) ● Authentication ○ Don't make distintions between bad login / password ○ Reset to hide real logins, time-limited tokens, old password invalidate resets ○ Detect brute force, lock accounts ○ Watch misconfigurations ○ Specially on admin, secondary platforms
3. Auth & Session ● Sessions ○ Random Ids, >= 128 bit ○ Use SSL ○ Use secure=yes, httponly for cookies ○ No session fixation ○ No session ids in URLs ○ Change session id on priviledge scalation or switch between http->https ○ Expiration ○ Offer logout, history, close all ○ Do not send cookies to CDNs, non-principal sites
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
4. Direct object references Apps usually map backend objects to URLs. An attacker might bypass privacy and authentication by accessing directly to resources if don't do the appropiate checks. ● Trusted params ● Images
4. Direct object references ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Properly check privacy on all objects ○ Good policy on where to put the privacy check ○ Do not trust params. Sign params is an option ○ Hide real db keys (show pos X in search Y, /me) ○ Make urls hard to guess
4. Direct object references Sounds stupid... ...but happens!
4. Direct object references ● Never check privacy on controllers ● Never check privacy on storage layer ● Privacy in backend api methods ○ With entry point documentation ○ Clear responsibility for privacy! ○ Most of the time implicit with good api design ○ Good performance ○ Easy to use privacy framework
4. Direct object references ● Documentation /* * @epoint-changes-state YES * @epoint-privacy-control IMPLICIT * - Only deletes current user tag if exists. * @epoint-summary Deletes the current user's tag on a photo *... */ public function deleteMyTag($photoKey) { $userId = CurrentUser::getId(); ...
4. Direct object references ● Privacy framework api ○ TPrivacy::hasAnyOf / hasAllOf ○ + Privacy providers if (TPrivacy::hasAnyOf( CurrentUser::getId() == $photoOwner, array('TagApi', TagApi::IS_TAGGED, $photoKey), array('... ... )) {
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
5. CSRF Cross site request forgery [CSFR in tuenti :)] Trick a authenticated user to submit requests to a service and do actions without consent. The browser will send the cookies and the request might look legit. ● Image tags (get) ● Forms (post) ● ...
5. CSRF ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Require a non-predictable token param on all actions that modify state ○ Use POST for all actions that modify state ○ Use custom header in ajax requests ○ Check Origin header when available!!!
5. CSRF @tuenti: ● Before was check when using a post param ○ Default values caused us issues ● Now explicit annotation on controllers ○ @ChangesState ● Evangelize developers
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
6. Security misconfiguration Missing security updates, open proxies, open ports, default accounts, directory listing, forgotten hardening...
6. Security misconfiguration ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Develop install & configuration procedures ○ Document services and subscribe to updates ○ Hide services versions when possible ○ Separate components to minimize risks
6. Security misconfiguration @tuenti: ● we are big >1k servers ○ + possibilities for some issue ● But... ○ We use config management (pupet) ○ Good deployment procedures, documentation ○ Very isolated services ○ Few generic web components ○ Good systems team
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
7. URL access Attacker guesses URLs that lead to functionality, information.
7. URL access ● Explotability: EASY ● Prevalence: UNCOMMON ● Detectability: AVERAGE ● Impact: MODERATE ● Prevention: ○ Deny by default ○ Deploy by selection
7. URL access @tuenti ● Good deploy system ● Splited environments for production and dev ● Most non-public services restricted to vpn + centralized auth
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
8. Unvalidated redirects Use a service redirect to trick users into clicking on a link (belongs to valid service) and achieve more effective phising/virus downloads/revenue.
8. Unvalidated redirects ● Explotability: AVERAGE ● Prevalence: UNCOMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Don't expose destination URL as param, use references to a white list ○ Ensure end URLs are safe (Safe search, user reporting tools...)
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
9. Insecure crypto storage Some data is sensible enought to require being stored encripted/hashed, to protect it from being stolen. Unsalted hashes might be exploitable, backups might contain keys or cleartext, services might expose decrypt mecanisms, internal attacks might have access to keys.
9. Insecure crypto storage ● Explotability: DIFFICULT ● Prevalence: UNCOMMON ● Detectability: DIFFICULT ● Impact: SEVERE ● Prevention: ○ Keep backups encripted, don't store keys on same place. ○ Use salted hashes and constant time hashes ○ Ensure keys are protected ○ Don't offer full info (credit card XXXX 1234)
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
10. Transport layer protection An attacker might sniff traffic of your users to steal sessions to retrieve data, do spam...
10. Transport layer protection ● Explotability: DIFFICULT ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Ensure to use SSL on all requests & resources loaded. ○ Change session ids when switching to https. ○ If optional, try to detect shared IPs and auto-enable on those.
Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection 11. Extras
11. Extras: Cross domain data leak Ajax is changing the web apps, with js-rich clients that request data. Beware of exposing JS / JSON user data through GET requests without CSRF tokens/headers! <script> tag is not Cross Domain safe! ● Require custom header (needs XMLhttpRequest) keep using GET ● Check origin header
11. Extras: Clickjacking Trick users to click/copy content on your page (by-passing CSRF) by using a hidden frame ● Use Frame-options ● Some anti-frame JS (hard) ○ top.location might not be accesible, cause JS error ○ redirections might be cancelled ○ Best (not pretty): blank page with link target _blank, if top. location == self.location, add content
11. Extras: Unicode ● Filter special unicode that can break design ● UTF encoding might bypass your XSS-filters ● UTF url encoding might bypass directory checks... ● NULL code %00 might bypass suffixes
11. Extras: HTTP/Mail Headers ● Are subject to CR/LF injection, leading to ○ XSS ○ Spam ○ redirection ○ ... ● Use safe api
11. Extras: People ● People is always the weakest link ● Phising ○ Educate ○ Good urls ○ Design ○ Referer analysis ○ React ● Self-inflicted JS injection ○ Educate ○ Filter content, be aware of surges
No input validation?
No input validation? Minimize malformed data, make it match business needs. NOT as primary method to avoid XSS, injection... ● Rules: ○ SERVER SIDE ○ Apply to all (form, url params, cookies, http headers) ○ Define whitelists of valid chars ○ Define length ○ Business on top of that
No input validation? ● Even thought, tuenti has a good validation system: ○ Based on annotations on controllers. ○ At data layer (storage definition) ● Makes exploits harder ● Good practice, clean code ● Explicit args in controllers
Other important aspects
Logging, stats, counters ● Very important for security ● Stats: ○ Detect issues, patterns to take measures. ● Logs ○ Analize issues. ● Counters ○ Detect & react to malicious activity
Error handling ● Sanitize error messages, use same templating system ● Do not provide information to users ● Control debug mode ● Dangers: ○ Log review tools (XSS) ○ As payload upload mecanism
Community ● Take care of community! ○ Thank security researchers ○ Reply fast ○ <24h fix policy ○ Tipically <2h! ○ Hall of FAME!!! ● How to report ○ Standard box security@tuenti.com + dns entries ○ Regular user support ○ Researchers know us
Web Security Future?
Browser XSS protections ● Reflexion XSS protection ○ Different implementations IE8, chrome ○ Adds issues, new problems ○ Non perfect, might improve?
Client side templates ● Data only requests are easier to escape ● It's harder to inject data into client-side templates (only persistent XSS) ● Templates might work in DOM mode ● SLOW in non recent browsers
Better JS ● More secure mashups ○ Google Caja... ● More enterprise JS ○ Dart, GWT, Closure, CoffeeScript
Plugins ... Apis ... Browsers ● Flash plugin will die! ● But new HTML5 apis will bring more issues ● Browsers extensions nightmare
Avoid cookies Using XMLHttpRequest with sid as param, from rich JS apps. Destination domain that does not have cookies. ● Decreases attack vectors on: ○ CSRF ○ Click jacking
SSL improvements ● HSTS ○ Force SSL ○ Certificate pinning ● False start ○ -30% handshake latency
Content Security Policy (Mozilla) ● Restricts a lot of attacking vectors ○ Forbids inline javascript ○ Forbids dynamic js code: eval, setTimeout(<string>) ○ Restricts inline data source (can be reverted for images for example) ○ Whitelist sources for each type of content (js, css, images, ajax...) ○ Configures frame permissions better ● Hard to implement in complex sites ○ twitter mobile is using it ○ Reports issues (to detect attacks, debug/testing phase)
? bisho@tuenti.com We are hiring! http://jobs.tuenti.com

Empfohlen

Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
PHP Security Tips
PHP Security TipsPHP Security Tips
PHP Security TipsChris Tankersley
 
Xebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenXebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenPublicis Sapient Engineering
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Tuenti release process
Tuenti release processTuenti release process
Tuenti release processTuenti
 
Tuenti - de la idea a la web
Tuenti - de la idea a la webTuenti - de la idea a la web
Tuenti - de la idea a la webTuenti
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release WorkflowTuenti
 
Presentaciones tuenti
Presentaciones tuentiPresentaciones tuenti
Presentaciones tuentiMiriam_Guillemdiaz18
 

Empfohlen

Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
PHP Security Tips
PHP Security TipsPHP Security Tips
PHP Security TipsChris Tankersley
 
Xebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenXebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenPublicis Sapient Engineering
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Tuenti release process
Tuenti release processTuenti release process
Tuenti release processTuenti
 
Tuenti - de la idea a la web
Tuenti - de la idea a la webTuenti - de la idea a la web
Tuenti - de la idea a la webTuenti
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release WorkflowTuenti
 
Presentaciones tuenti
Presentaciones tuentiPresentaciones tuenti
Presentaciones tuentiMiriam_Guillemdiaz18
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing AppAndreas Schranzhofer
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTrueTesters
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti
 
Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tuenti
 

Weitere ähnliche Inhalte

Ähnlich wie Web App Security Techniques for Developers

Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTrueTesters
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 

Ähnlich wie Web App Security Techniques for Developers (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web Vulnerability
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 

Mehr von Tuenti

Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti
 
Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tuenti
 
Tuenti Mobile Development
Tuenti Mobile DevelopmentTuenti Mobile Development
Tuenti Mobile DevelopmentTuenti
 
Tuenti - tu entidad
Tuenti - tu entidadTuenti - tu entidad
Tuenti - tu entidadTuenti
 
DTS s03e02 Handling the code
DTS s03e02 Handling the codeDTS s03e02 Handling the code
DTS s03e02 Handling the codeTuenti
 
DTS s03e04 Typing
DTS s03e04 TypingDTS s03e04 Typing
DTS s03e04 TypingTuenti
 
Tuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working togetherTuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working togetherTuenti
 
AJAX for Scalability
AJAX for ScalabilityAJAX for Scalability
AJAX for ScalabilityTuenti
 

Mehr von Tuenti (8)

Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1Tuenti Release Workflow v1.1
Tuenti Release Workflow v1.1
 
Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011Tu: Telco 2.0 at FICOD 2011
Tu: Telco 2.0 at FICOD 2011
 
Tuenti Mobile Development
Tuenti Mobile DevelopmentTuenti Mobile Development
Tuenti Mobile Development
 
Tuenti - tu entidad
Tuenti - tu entidadTuenti - tu entidad
Tuenti - tu entidad
 
DTS s03e02 Handling the code
DTS s03e02 Handling the codeDTS s03e02 Handling the code
DTS s03e02 Handling the code
 
DTS s03e04 Typing
DTS s03e04 TypingDTS s03e04 Typing
DTS s03e04 Typing
 
Tuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working togetherTuenti Tech Teams. Frontend, Backend, Systems and more, working together
Tuenti Tech Teams. Frontend, Backend, Systems and more, working together
 
AJAX for Scalability
AJAX for ScalabilityAJAX for Scalability
AJAX for Scalability
 

Kürzlich hochgeladen

Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Web App Security Techniques for Developers

  • 1. Web Application Security Guillermo Pérez bisho@tuenti.com BE arch & Security Lead Eng. bcndevcon 2011
  • 2. Things to deal with... in web app security
  • 3. Web App security ● Anonymous attackers ● Worldwide access ● Shared environment for all users ● Easy distribution, profitable ● On top of all other components security: ○ Network security ○ OS security ○ Server software security ○ Social Engineering ○ Even more! browsers, plugins, virus, user computer security, shared computers, open wifis...
  • 5. Web App security Humans (developers) are the bigger risk Give tools, frameworks & policies so no developer has to ever think how to secure up things. Should be clear and the easiest path. But there is no perfect security...
  • 7. Top 10 security issues in webapps From OWASP (risks != frequency) 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 8. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 9. 1. Injection flaws Trick services to execute unintended commands to gain control or access unauthorized data. ● Several types: ○ SQL ○ OS execution ○ LDAP ○ XPath ○ NoSQL ○ uploads
  • 10. 1. Injection flaws ● Explotability: EASY ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ Keep untrusted data separate from commands ● How: ○ Use safe, parametrized apis vs writting code to be executed by interpreter. ○ Escape special chars depending on interpreter. ○ Data cast, whitelist input validation.
  • 11. 1. Injection flaws: SQL ● http://example.com/?id=' or '1'='1 ● Explicit cast, escaping IN-PLACE ○ mysqli_escape_string() ○ ... ● Use prepared statements ○ Provides data separation ○ Client-side implementations (PDO) ○ SELECT * FROM table where id=? ● Use safe apis for query generation ○ $mysqlService->select($table, $pk, $fields, $where...) ● Safe ORM framework ○ $storage->read($keys);
  • 12. 1. Injection flaws: OS ● Don't use OS execution :) ● Escape ○ escapeshellarg
  • 13. 1. Injection flaws: uploads ● Don't put them on public folder ● Don't use user-provided data for names ● Whitelist extensions ● Validate content ● Store separately from app (DB, separate servers) ● Ensure write permissions are the minimum possible
  • 14. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 15. 2. XSS Trick services to return browser-executable code to user/s. ● Several classifications: ○ Breaking context vs sub-context ○ Persistant vs non-persistent ○ Traditional vs DOM
  • 16. 2. XSS ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Escape untrusted data depending on context ○ HTTP-Only Cookie mitigation is useless ● How: ○ Escape everything (even safe vars) ○ Escape in TEMPLATES (context aware) ○ Other (URL params) in specialized safe apis ○ Unit test
  • 17. 2. XSS: Classification by context ● Breaking context: ○ <a href="?id<?=$_GET['id']?>"> ○ "<script> ... ○ Easy to detect & test ■ Unit-test templates with all injections for all vars and validate html ● Non breaking context: ○ <a href="<?=$_GET['url']?>"> ○ javascript: ... ○ HARD TO DETECT
  • 18. 2. XSS: Classification by persistance ● Persistant ○ Data gets stored in DB ○ Users will be hit by regular navigation ○ Easier to test (templates) ● Non persistant ○ A request with some params returns XSS ○ Users need to be trick to navigate into the malicious link ○ More frequent (No results for 'blah') ○ Somewhat harder to test (cover error messages, non-template based responses)
  • 19. 2. XSS: Classification by mode ● Traditional ○ Just by exploiting browser parsing ○ Easy to test ● DOM ○ Cheating on JS ■ data from server injected in DOM ● Use innerText ● Do not compose html in JS ■ parsing data from uri, forms as 'safe' ○ Pretty hard to test. Avoid missuse, provide safe apis.
  • 20. 2. XSS @tuenti ● Escape on templates ● Escape everything, even what doesn't need to be escaped: ○ <?=View::escape_unsafe($html)?> ● Link generation framework ● Tests for templates, controllers
  • 21. 2. XSS: HTML ● Never put untrusted data in: ○ <script> contents ○ HTML comments ○ tag/attribute names ○ <style> contents ● Contexts: Content, attributes, url params, urls, js... ● Rich formating ○ Use alternative markup lang ■ Markdown ■ Textile ○ Filter HTML (white listing, carefull!!!)
  • 22. 2. XSS: JS ● Encode with xNNN (" might break HTML that is parsed before) ● Prefer reading values from dom ● URL pieces are not safe ● Beware of double context: setInterval('...'), eval()
  • 23. 2. XSS: JSON ● Easy to escape (single context) ● Can put the load on the browser (harder to test) ● Avoid mixing contexts (json on html, or json with/for html) ● Eval json as js can trigger js execution ○ Safe, full json encoding in server (never use half- baked json templates!!!) ○ Use the slow json-parse.js vs json.js regexp validation ● Be aware of context. content-type!
  • 24. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 25. 3. Auth & Session Attack authentication and sessions to gain control over an account. ● Passwords ● Session issues
  • 26. 3. Auth & Session ● Explotability: AVERAGE ● Prevalence: COMMON ● Detectability: AVERAGE ● Impact: SEVERE ● Prevention: ○ SSL, good session handling, detect auth brute force, avoid plain text passwords, strong password recovery, user sessions control (logout, history, close all), detect anomalous login patterns...
  • 27. 3. Auth & Session ● Passwords ○ Use SSL or digest auth ○ Enforce good passwords, rotation ○ Store passwords securely (constant time salted hashes) ○ fight phising (easy URL, educate users) ● Authentication ○ Don't make distintions between bad login / password ○ Reset to hide real logins, time-limited tokens, old password invalidate resets ○ Detect brute force, lock accounts ○ Watch misconfigurations ○ Specially on admin, secondary platforms
  • 28. 3. Auth & Session ● Sessions ○ Random Ids, >= 128 bit ○ Use SSL ○ Use secure=yes, httponly for cookies ○ No session fixation ○ No session ids in URLs ○ Change session id on priviledge scalation or switch between http->https ○ Expiration ○ Offer logout, history, close all ○ Do not send cookies to CDNs, non-principal sites
  • 29. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 30. 4. Direct object references Apps usually map backend objects to URLs. An attacker might bypass privacy and authentication by accessing directly to resources if don't do the appropiate checks. ● Trusted params ● Images
  • 31. 4. Direct object references ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Properly check privacy on all objects ○ Good policy on where to put the privacy check ○ Do not trust params. Sign params is an option ○ Hide real db keys (show pos X in search Y, /me) ○ Make urls hard to guess
  • 32. 4. Direct object references Sounds stupid... ...but happens!
  • 33. 4. Direct object references ● Never check privacy on controllers ● Never check privacy on storage layer ● Privacy in backend api methods ○ With entry point documentation ○ Clear responsibility for privacy! ○ Most of the time implicit with good api design ○ Good performance ○ Easy to use privacy framework
  • 34. 4. Direct object references ● Documentation /* * @epoint-changes-state YES * @epoint-privacy-control IMPLICIT * - Only deletes current user tag if exists. * @epoint-summary Deletes the current user's tag on a photo *... */ public function deleteMyTag($photoKey) { $userId = CurrentUser::getId(); ...
  • 35. 4. Direct object references ● Privacy framework api ○ TPrivacy::hasAnyOf / hasAllOf ○ + Privacy providers if (TPrivacy::hasAnyOf( CurrentUser::getId() == $photoOwner, array('TagApi', TagApi::IS_TAGGED, $photoKey), array('... ... )) {
  • 36. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 37. 5. CSRF Cross site request forgery [CSFR in tuenti :)] Trick a authenticated user to submit requests to a service and do actions without consent. The browser will send the cookies and the request might look legit. ● Image tags (get) ● Forms (post) ● ...
  • 38. 5. CSRF ● Explotability: AVERAGE ● Prevalence: WIDESPREAD ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Require a non-predictable token param on all actions that modify state ○ Use POST for all actions that modify state ○ Use custom header in ajax requests ○ Check Origin header when available!!!
  • 39. 5. CSRF @tuenti: ● Before was check when using a post param ○ Default values caused us issues ● Now explicit annotation on controllers ○ @ChangesState ● Evangelize developers
  • 40. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 41. 6. Security misconfiguration Missing security updates, open proxies, open ports, default accounts, directory listing, forgotten hardening...
  • 42. 6. Security misconfiguration ● Explotability: EASY ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Develop install & configuration procedures ○ Document services and subscribe to updates ○ Hide services versions when possible ○ Separate components to minimize risks
  • 43. 6. Security misconfiguration @tuenti: ● we are big >1k servers ○ + possibilities for some issue ● But... ○ We use config management (pupet) ○ Good deployment procedures, documentation ○ Very isolated services ○ Few generic web components ○ Good systems team
  • 44. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 45. 7. URL access Attacker guesses URLs that lead to functionality, information.
  • 46. 7. URL access ● Explotability: EASY ● Prevalence: UNCOMMON ● Detectability: AVERAGE ● Impact: MODERATE ● Prevention: ○ Deny by default ○ Deploy by selection
  • 47. 7. URL access @tuenti ● Good deploy system ● Splited environments for production and dev ● Most non-public services restricted to vpn + centralized auth
  • 48. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 49. 8. Unvalidated redirects Use a service redirect to trick users into clicking on a link (belongs to valid service) and achieve more effective phising/virus downloads/revenue.
  • 50. 8. Unvalidated redirects ● Explotability: AVERAGE ● Prevalence: UNCOMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Don't expose destination URL as param, use references to a white list ○ Ensure end URLs are safe (Safe search, user reporting tools...)
  • 51. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 52. 9. Insecure crypto storage Some data is sensible enought to require being stored encripted/hashed, to protect it from being stolen. Unsalted hashes might be exploitable, backups might contain keys or cleartext, services might expose decrypt mecanisms, internal attacks might have access to keys.
  • 53. 9. Insecure crypto storage ● Explotability: DIFFICULT ● Prevalence: UNCOMMON ● Detectability: DIFFICULT ● Impact: SEVERE ● Prevention: ○ Keep backups encripted, don't store keys on same place. ○ Use salted hashes and constant time hashes ○ Ensure keys are protected ○ Don't offer full info (credit card XXXX 1234)
  • 54. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection
  • 55. 10. Transport layer protection An attacker might sniff traffic of your users to steal sessions to retrieve data, do spam...
  • 56. 10. Transport layer protection ● Explotability: DIFFICULT ● Prevalence: COMMON ● Detectability: EASY ● Impact: MODERATE ● Prevention: ○ Ensure to use SSL on all requests & resources loaded. ○ Change session ids when switching to https. ○ If optional, try to detect shared IPs and auto-enable on those.
  • 57. Top 10 security issues in webapps 1. Injection 2. XSS 3. Broken auth, session management 4. Insecure direct object references 5. CSRF 6. Security misconfiguration 7. Failure to restrict URL access 8. Unvalidated redirects 9. Insecure crypto storage 10. Insufficient transport layer protection 11. Extras
  • 58. 11. Extras: Cross domain data leak Ajax is changing the web apps, with js-rich clients that request data. Beware of exposing JS / JSON user data through GET requests without CSRF tokens/headers! <script> tag is not Cross Domain safe! ● Require custom header (needs XMLhttpRequest) keep using GET ● Check origin header
  • 59. 11. Extras: Clickjacking Trick users to click/copy content on your page (by-passing CSRF) by using a hidden frame ● Use Frame-options ● Some anti-frame JS (hard) ○ top.location might not be accesible, cause JS error ○ redirections might be cancelled ○ Best (not pretty): blank page with link target _blank, if top. location == self.location, add content
  • 60. 11. Extras: Unicode ● Filter special unicode that can break design ● UTF encoding might bypass your XSS-filters ● UTF url encoding might bypass directory checks... ● NULL code %00 might bypass suffixes
  • 61. 11. Extras: HTTP/Mail Headers ● Are subject to CR/LF injection, leading to ○ XSS ○ Spam ○ redirection ○ ... ● Use safe api
  • 62. 11. Extras: People ● People is always the weakest link ● Phising ○ Educate ○ Good urls ○ Design ○ Referer analysis ○ React ● Self-inflicted JS injection ○ Educate ○ Filter content, be aware of surges
  • 64. No input validation? Minimize malformed data, make it match business needs. NOT as primary method to avoid XSS, injection... ● Rules: ○ SERVER SIDE ○ Apply to all (form, url params, cookies, http headers) ○ Define whitelists of valid chars ○ Define length ○ Business on top of that
  • 65. No input validation? ● Even thought, tuenti has a good validation system: ○ Based on annotations on controllers. ○ At data layer (storage definition) ● Makes exploits harder ● Good practice, clean code ● Explicit args in controllers
  • 67. Logging, stats, counters ● Very important for security ● Stats: ○ Detect issues, patterns to take measures. ● Logs ○ Analize issues. ● Counters ○ Detect & react to malicious activity
  • 68. Error handling ● Sanitize error messages, use same templating system ● Do not provide information to users ● Control debug mode ● Dangers: ○ Log review tools (XSS) ○ As payload upload mecanism
  • 69. Community ● Take care of community! ○ Thank security researchers ○ Reply fast ○ <24h fix policy ○ Tipically <2h! ○ Hall of FAME!!! ● How to report ○ Standard box security@tuenti.com + dns entries ○ Regular user support ○ Researchers know us
  • 71. Browser XSS protections ● Reflexion XSS protection ○ Different implementations IE8, chrome ○ Adds issues, new problems ○ Non perfect, might improve?
  • 72. Client side templates ● Data only requests are easier to escape ● It's harder to inject data into client-side templates (only persistent XSS) ● Templates might work in DOM mode ● SLOW in non recent browsers
  • 73. Better JS ● More secure mashups ○ Google Caja... ● More enterprise JS ○ Dart, GWT, Closure, CoffeeScript
  • 74. Plugins ... Apis ... Browsers ● Flash plugin will die! ● But new HTML5 apis will bring more issues ● Browsers extensions nightmare
  • 75. Avoid cookies Using XMLHttpRequest with sid as param, from rich JS apps. Destination domain that does not have cookies. ● Decreases attack vectors on: ○ CSRF ○ Click jacking
  • 76. SSL improvements ● HSTS ○ Force SSL ○ Certificate pinning ● False start ○ -30% handshake latency
  • 77. Content Security Policy (Mozilla) ● Restricts a lot of attacking vectors ○ Forbids inline javascript ○ Forbids dynamic js code: eval, setTimeout(<string>) ○ Restricts inline data source (can be reverted for images for example) ○ Whitelist sources for each type of content (js, css, images, ajax...) ○ Configures frame permissions better ● Hard to implement in complex sites ○ twitter mobile is using it ○ Reports issues (to detect attacks, debug/testing phase)
  • 78. ? bisho@tuenti.com We are hiring! http://jobs.tuenti.com