SlideShare ist ein Scribd-Unternehmen logo

"The Web Is Broken" by Bipin Upadhyay

Bipin Upadhyay
Bipin Upadhyay

Can be used as a introductory presentation to web security basics. Contains intro on Attacks to Preventions Tips, organized neatly. http://codeinmybug.wordpress.com/2007/10/12/the-web-is-broken/

Technologie
1 von 63
Downloaden Sie, um offline zu lesen
The Web Is Broken Why every feature is, in fact, a loophole!
The first matrix I designed was quite naturally, perfect. It was a work of art. Flawless. Sublime. A triumph only equaled by its monumental failure. Bipin Upadhyay http://projectbee.org
RoadMap • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
Who Am I? • I am SpiderMan • Apart from that, I: – am a part of ADMS – work on WebAppSec – am co-author of a yet to be released book • I can be pinged @: – http://blog.projectbee.org – Om-[AT]-PROJectBee-[DOT]-org Bipin Upadhyay http://projectbee.org
Web 1.0 versus Web 2.0 Bipin Upadhyay http://projectbee.org
Technologies Involved Bipin Upadhyay http://projectbee.org
Fundamentals ntals, ndame Fu he same re, still t ss or mo le Bipin Upadhyay http://projectbee.org
Fundamentals… User User Firewall / IDS Web server (Server side scripts like PHP, ASP, JSP etc.) Database Database Bipin Upadhyay http://projectbee.org
Network Sec. versus Web Sec. Ports 0 80 443 Attacker Web Server 65535 Firewall/IDS/IPS Bipin Upadhyay http://projectbee.org
Network Sec. versus Web Sec… Ports 0 Victim Malicious OR Compromised 65535 Web Server Firewall/NATed IP Bipin Upadhyay http://projectbee.org
How serious is the matter! • 90% of web applications have serious vulnerabilities –Gartner Group • 78% of attacks are at the web application level –Symantec • XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre • Every 8-9/10 sites vulnerable to XSS –WASC Bipin Upadhyay http://projectbee.org
How serious is the matter!... Bipin Upadhyay http://projectbee.org
How serious is the matter!... Bipin Upadhyay http://projectbee.org
What’s @ Stake • Money • Data • Reputation • Faith/Trust • and… Bipin Upadhyay http://projectbee.org
What’s @ Stake… •… Bipin Upadhyay http://projectbee.org
It’s a Mythical World out there… • Myths often prevail rationality. • Myths often are the cause of devastation. Bipin Upadhyay http://projectbee.org
Myth Buster • Myth: – My developers have implemented security • Reality: – Security ain’t no feature dude! It’s a metrics. Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – Security is a non-functional requirement • Reality: – By definition, Yes! Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – We use blah-blah framework. We’re safe • Reality: – Frameworks are encouraged. Human brain isn’t. Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – Java is secure by design • Reality: – May be! But web isn’t… nor is human brain. Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – SSL is secure from sniffing • Reality: – Far from it. It’s difficult for sure, though Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – Procedures means no SQL Injection • Reality: – Not always. Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – I use firewall. I am safe. • Reality: – So what? Your browser ports are open. Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – I use latest antivirus and my system is patched. • Reality: – Big Deal!!! Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – I browse net from inside a LAN. • Reality: – Urghhh! Browser dude, browser! Bipin Upadhyay http://projectbee.org
Myth Buster… • Myth: – Human stupidity is infinite • Reality: – There you go! ☺ Bipin Upadhyay http://projectbee.org
RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
Injection Attacks • A form of attack where the user input manipulates the underlying platform in an undesired way. • Several variants:- – SQL Injection – Command Injection – LDAP Injection – XPATH Injection – XML Injection – JSON Injection Bipin Upadhyay http://projectbee.org
SQL Injections Bipin Upadhyay http://projectbee.org
XSS • OWASP Top - 10 2007 #1 • Any type of user input that is reflected back to the user without being purified. • Input can be HTML, CSS, or Javascript • Two kinds --Persistent & Non-Persistent XSS Bipin Upadhyay http://projectbee.org
XSS… • XSS attacks include, but not limited to: – Cookie Theft & Session Hijacking – Site Defacement & Phishing – Key logging – History Theft – Port Scanning – CSRF & Web Worms – DoS-ing – … limited only by imagination Bipin Upadhyay http://projectbee.org
CSRF • Also called Unauthorized Requests. • The server is punished/exploited for trusting the user. • CSRF is, arguably, more dangerous than XSS. • Doesn’t necessarily require javascript. • OWASP Top - 10 2007 #5, (also called the Sleeping Giant) Bipin Upadhyay http://projectbee.org
Cookie Poisoning • Cookies sometimes store confidential data • This information can be manipulated for fun and profit. e.g., price of a product on an ecommerce site Bipin Upadhyay http://projectbee.org
HTTP Response Splitting • Attacker splits Http Response into two. • Watch out for redirection scripts using user input in response headers • CR-LF (0x0d & 0x0a) is the key to response splitting • Web/browser cache poisoning, XSS etc. attacks possible Bipin Upadhyay http://projectbee.org
Google Hacking • Search engines index all permissible documents inside the web tree • These data can be recovered using special queries: – site:<sitename> – inurl:<string> – intitle:<string> – filetype:<string> Bipin Upadhyay http://projectbee.org
Scary Cracks • Credit Cards & Google • Google.com UTF-7 XSS Vulnerability • Yamanner • “Samy is my Hero” OR Samy Worm • Bank Of India Hack • GMail CSRF Vulnerability Bipin Upadhyay http://projectbee.org
RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
The Arsenal • A Web browser • Textbox/Textarea • Iframe • TamperData/TamperIE • WebScarab • Fuzzer (Crowbar) • Google Bipin Upadhyay http://projectbee.org
RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
Google Hacking • Search engines index anything and everything • Demo Bipin Upadhyay http://projectbee.org
Exploiting Mistakes • Client side validation isn’t enough • Demo • “Clues in Codes/Comments” • Demo • Insecure implementation of “Forgot Password” feature • Demo Bipin Upadhyay http://projectbee.org
Exploiting Mistakes… • Too verbose error messages • Demo • Cookie Isn’t for sensitive data • Demo • Brute forcing Session id • Demo Bipin Upadhyay http://projectbee.org
Exploiting Zero Days • URI Vulnerabilities • Demo Bipin Upadhyay http://projectbee.org
Injection Attacks • SQL Injections • Demo • Command Injection • Demo • XPATH Injection • Demo Bipin Upadhyay http://projectbee.org
XSS Family • XSS (Cross Site Scripting) • Demo • XSS and encoding mistakes • Demo • CSRF, the sleeping Giant • Demo Bipin Upadhyay http://projectbee.org
Http Response Splitting • Why user is evil? • Demo Bipin Upadhyay http://projectbee.org
RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
SDLC • Integrate security into SDLC Design Coding Testing Deployment Bipin Upadhyay http://projectbee.org
Design Phase • Stick to standards • Encourage usage of well-proven frameworks • Prefer Whitelisting over Blacklisting • Prefer Onion Model over Garlic Model Bipin Upadhyay http://projectbee.org
Coding Phase • Do NOT trust the user. • Do NOT rely on Client side validation. • Prefer HttpOnly Cookie to avoid cookie theft • Use nonces to prevent CSRF • Don’t just hash passwords, salt them too • Avoid too verbose/meaningful error messages Bipin Upadhyay http://projectbee.org
Coding Phase… • Proper encoding can avoid most problems • Input Encoding – prefer UTF-8 and ISO-8859-1 – refer http://ha.ckers.org/charsets.html • Output Encoding – avoid rich html input from user – decimal encode input before displaying – refer OWASP_Encoding_Project Bipin Upadhyay http://projectbee.org
Coding Phase… • Sanitize anything that comes from the user. Bipin Upadhyay http://projectbee.org
Coding Phase… • Filter Metacharacters: • < %3c > %3e • | %7c ‘ %60 • & %26 ( %28 • %od %0a .. • / %2f %5c • RegEx are your friend • Use Stored Procedures • Prefer usage of bind variables in SQL statement Bipin Upadhyay http://projectbee.org
Testing Phase • Code Auditing: – OWASP – LAPSE plugin (Java) – SPI Dynamics’ DevInspect (Java & .NET), etc. • Web Application Scanners – w3af – Watchfire AppScan – SPI Dynamics’ WebInspect, etc. • No substitute for an experienced human eye Bipin Upadhyay http://projectbee.org
Deployment Phase • Keep out of the Web Tree; use robots.txt • Set minimal permissions • Keep the system patched & patched • Use Web Application Firewall – urlScan – ModSecurity – SecureIIS, etc. …but, most importantly Bipin Upadhyay http://projectbee.org
Education pers. d e v el o r ate you Educ Bipin Upadhyay http://projectbee.org
Final Words • www was designed for information exchange • Today, too much is at stake • Ignorance, no longer a bliss • Take responsibility and… Bipin Upadhyay http://projectbee.org
Final Words… …be prepared. “Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…” –Ronald van den Heetkamp Bipin Upadhyay http://projectbee.org
…and Finally, String.fromCharCode(84,104,97,110,107,32,89,1 11,117,33) i.e., Thank You! ☺ Bipin Upadhyay http://projectbee.org
Acknowledgements • Lalit Patel (http://lalit.org) & Lucky (http://reboot.in) • http://flickr.com • http://flickr.com/photos/jeanetteb1/1400824517 • http://flickr.com/photos/jbhalper/334521840 • http://flickr.com/photos/hondawang/566041603 • http://flickr.com/photos/14018070@N08/1438910620 • http://flickr.com/photos/44368636@N00/76684587 • http://www.cyberpunkreview.com/images/matrixreloaded63.jpg • www.flickr.com/photos/johnengler/211482969 • http://www.flickr.com/photos/lamkevin/458083458 • http://www.flickr.com/photos/beavis/459281241 • http://flickr.com/photos/briansolis/326278887 • http://www.flickr.com/photos/focus2capture/297232107 • http://flickr.com/photos/complexify/97303317 • http://flickr.com/photos/amyking/142161588 • http://xkcd.com/327/ Bipin Upadhyay http://projectbee.org
References • http://search.yahoo.com (To be safer) • http://0x000000.com • http://ha.ckers.org • http://sla.ckers.org • http://gnucitizen.com • XSS Attacks (Syngress Publications) • PenTesting for Web Applications (Wrox) • Hacking Exposed (Tata McGraw Hill) • 19 Deadly Sins of Sotware Security (Tata McGraw Hill) • OWASP & WASC • David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes, Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,…. ……………………………. a lot many Bipin Upadhyay http://projectbee.org
Got Questions??? Shoot them Bipin Upadhyay http://projectbee.org

Empfohlen

Snakes on the Web
Snakes on the WebSnakes on the Web
Snakes on the WebJacob Kaplan-Moss
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Andy Davies
 
Real World Web Standards
Real World Web StandardsReal World Web Standards
Real World Web Standardsgleddy
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceAndy Davies
 
Sniffing the Mobile Context
Sniffing the Mobile ContextSniffing the Mobile Context
Sniffing the Mobile ContextAndy Davies
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Fwdays
 
Going Fast on the Mobile Web
Going Fast on the Mobile WebGoing Fast on the Mobile Web
Going Fast on the Mobile WebJason Grigsby
 
Mobile Web Performance - Getting and Staying Fast
Mobile Web Performance - Getting and Staying FastMobile Web Performance - Getting and Staying Fast
Mobile Web Performance - Getting and Staying FastAndy Davies
 

Empfohlen

Snakes on the Web
Snakes on the WebSnakes on the Web
Snakes on the WebJacob Kaplan-Moss
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Andy Davies
 
Real World Web Standards
Real World Web StandardsReal World Web Standards
Real World Web Standardsgleddy
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceAndy Davies
 
Sniffing the Mobile Context
Sniffing the Mobile ContextSniffing the Mobile Context
Sniffing the Mobile ContextAndy Davies
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Fwdays
 
Going Fast on the Mobile Web
Going Fast on the Mobile WebGoing Fast on the Mobile Web
Going Fast on the Mobile WebJason Grigsby
 
Mobile Web Performance - Getting and Staying Fast
Mobile Web Performance - Getting and Staying FastMobile Web Performance - Getting and Staying Fast
Mobile Web Performance - Getting and Staying FastAndy Davies
 
Mobile Web Speed Bumps
Mobile Web Speed BumpsMobile Web Speed Bumps
Mobile Web Speed BumpsNicholas Zakas
 
Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Andy Davies
 
Semantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksSemantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksDavid Peterson
 
Making Mobile Sites Faster
Making Mobile Sites FasterMaking Mobile Sites Faster
Making Mobile Sites FasterAndy Davies
 
Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Andy Davies
 
The web is too slow
The web is too slow The web is too slow
The web is too slow Andy Davies
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
What does the browser pre-loader do?
What does the browser pre-loader do?What does the browser pre-loader do?
What does the browser pre-loader do?Andy Davies
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceAndy Davies
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Andy Davies
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmThe Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmAndy Davies
 
State of jQuery '09
State of jQuery '09State of jQuery '09
State of jQuery '09jeresig
 
Everything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askEverything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askBill Slawski
 
[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web Design[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015Andy Davies
 
[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web Design[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14Matthias Lau
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...MilanAryal
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Steve Souders
 
Word 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docWord 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docAztanian
 
[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial containerBipin Upadhyay
 
Session Hijacking
Session HijackingSession Hijacking
Session HijackingCaleb Sima
 

Weitere ähnliche Inhalte

Was ist angesagt?

Mobile Web Speed Bumps
Mobile Web Speed BumpsMobile Web Speed Bumps
Mobile Web Speed BumpsNicholas Zakas
 
Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Andy Davies
 
Semantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksSemantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksDavid Peterson
 
Making Mobile Sites Faster
Making Mobile Sites FasterMaking Mobile Sites Faster
Making Mobile Sites FasterAndy Davies
 
Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Andy Davies
 
The web is too slow
The web is too slow The web is too slow
The web is too slow Andy Davies
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
What does the browser pre-loader do?
What does the browser pre-loader do?What does the browser pre-loader do?
What does the browser pre-loader do?Andy Davies
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceAndy Davies
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Andy Davies
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmThe Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmAndy Davies
 
State of jQuery '09
State of jQuery '09State of jQuery '09
State of jQuery '09jeresig
 
Everything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askEverything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askBill Slawski
 
[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web Design[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015Andy Davies
 
[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web Design[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14Matthias Lau
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...MilanAryal
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Steve Souders
 
Word 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docWord 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docAztanian
 

Was ist angesagt? (20)

Mobile Web Speed Bumps
Mobile Web Speed BumpsMobile Web Speed Bumps
Mobile Web Speed Bumps
 
Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013
 
Semantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksSemantic Web For Distributed Social Networks
Semantic Web For Distributed Social Networks
 
Making Mobile Sites Faster
Making Mobile Sites FasterMaking Mobile Sites Faster
Making Mobile Sites Faster
 
Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)
 
The web is too slow
The web is too slow The web is too slow
The web is too slow
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)
 
What does the browser pre-loader do?
What does the browser pre-loader do?What does the browser pre-loader do?
What does the browser pre-loader do?
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web Experience
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmThe Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
 
State of jQuery '09
State of jQuery '09State of jQuery '09
State of jQuery '09
 
Everything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askEverything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to ask
 
[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web Design[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web Design
 
The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015
 
[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web Design[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web Design
 
The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013
 
Word 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docWord 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.doc
 

Andere mochten auch

[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial containerBipin Upadhyay
 
Session Hijacking
Session HijackingSession Hijacking
Session HijackingCaleb Sima
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventPaulius Leščinskas
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab
 
Protect you site from CSRF
Protect you site from CSRFProtect you site from CSRF
Protect you site from CSRFAcquia
 
CEH - Module 11 : Session Hijacking
CEH - Module 11 : Session HijackingCEH - Module 11 : Session Hijacking
CEH - Module 11 : Session HijackingAvirot Mitamura
 
"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin UpadhyayBipin Upadhyay
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 

Andere mochten auch (17)

[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to prevent
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Php Camp Open Social
Php Camp Open SocialPhp Camp Open Social
Php Camp Open Social
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
Protect you site from CSRF
Protect you site from CSRFProtect you site from CSRF
Protect you site from CSRF
 
CEH - Module 11 : Session Hijacking
CEH - Module 11 : Session HijackingCEH - Module 11 : Session Hijacking
CEH - Module 11 : Session Hijacking
 
"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Php Development Stack
Php Development StackPhp Development Stack
Php Development Stack
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
 

Ähnlich wie "The Web Is Broken" by Bipin Upadhyay

Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 PublicTotal Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 PublicRafal Los
 
Coworking 7th Floor
Coworking 7th FloorCoworking 7th Floor
Coworking 7th Floorfabiomasetti
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScalePatrick Chanezon
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up360|Conferences
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
iPhone Development For Experienced Web Developers
iPhone Development For Experienced Web DevelopersiPhone Development For Experienced Web Developers
iPhone Development For Experienced Web Developerslisab517
 
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail BortnykFunctional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail BortnykRuby Meditation
 
Functional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine FrameworkFunctional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine FrameworkAmoniac OÜ
 
Clearspring Widgetsphere
Clearspring WidgetsphereClearspring Widgetsphere
Clearspring Widgetsphereeraz
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPloneFoundation
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWTreehouse Agency
 
MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012jackdanger
 
How To Internet: The Magic Words
How To Internet: The Magic WordsHow To Internet: The Magic Words
How To Internet: The Magic WordsDavid Newbury
 
Socket applications
Socket applicationsSocket applications
Socket applicationsJoão Moura
 

Ähnlich wie "The Web Is Broken" by Bipin Upadhyay (20)

Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 PublicTotal Browser Pwnag3 V1.0 Public
Total Browser Pwnag3 V1.0 Public
 
Coworking 7th Floor
Coworking 7th FloorCoworking 7th Floor
Coworking 7th Floor
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
iPhone Development For Experienced Web Developers
iPhone Development For Experienced Web DevelopersiPhone Development For Experienced Web Developers
iPhone Development For Experienced Web Developers
 
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail BortnykFunctional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
 
Functional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine FrameworkFunctional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine Framework
 
Clearspring Widgetsphere
Clearspring WidgetsphereClearspring Widgetsphere
Clearspring Widgetsphere
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOW
 
MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012
 
How To Internet: The Magic Words
How To Internet: The Magic WordsHow To Internet: The Magic Words
How To Internet: The Magic Words
 
Recent Rogueware
Recent RoguewareRecent Rogueware
Recent Rogueware
 
Socket applications
Socket applicationsSocket applications
Socket applications
 
Data Visualization
Data VisualizationData Visualization
Data Visualization
 

Kürzlich hochgeladen

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Kürzlich hochgeladen (20)

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

"The Web Is Broken" by Bipin Upadhyay

  • 1. The Web Is Broken Why every feature is, in fact, a loophole!
  • 2. The first matrix I designed was quite naturally, perfect. It was a work of art. Flawless. Sublime. A triumph only equaled by its monumental failure. Bipin Upadhyay http://projectbee.org
  • 3. RoadMap • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 4. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 5. Who Am I? • I am SpiderMan • Apart from that, I: – am a part of ADMS – work on WebAppSec – am co-author of a yet to be released book • I can be pinged @: – http://blog.projectbee.org – Om-[AT]-PROJectBee-[DOT]-org Bipin Upadhyay http://projectbee.org
  • 6. Web 1.0 versus Web 2.0 Bipin Upadhyay http://projectbee.org
  • 8. Fundamentals ntals, ndame Fu he same re, still t ss or mo le Bipin Upadhyay http://projectbee.org
  • 9. Fundamentals… User User Firewall / IDS Web server (Server side scripts like PHP, ASP, JSP etc.) Database Database Bipin Upadhyay http://projectbee.org
  • 10. Network Sec. versus Web Sec. Ports 0 80 443 Attacker Web Server 65535 Firewall/IDS/IPS Bipin Upadhyay http://projectbee.org
  • 11. Network Sec. versus Web Sec… Ports 0 Victim Malicious OR Compromised 65535 Web Server Firewall/NATed IP Bipin Upadhyay http://projectbee.org
  • 12. How serious is the matter! • 90% of web applications have serious vulnerabilities –Gartner Group • 78% of attacks are at the web application level –Symantec • XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre • Every 8-9/10 sites vulnerable to XSS –WASC Bipin Upadhyay http://projectbee.org
  • 13. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  • 14. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  • 15. What’s @ Stake • Money • Data • Reputation • Faith/Trust • and… Bipin Upadhyay http://projectbee.org
  • 16. What’s @ Stake… •… Bipin Upadhyay http://projectbee.org
  • 17. It’s a Mythical World out there… • Myths often prevail rationality. • Myths often are the cause of devastation. Bipin Upadhyay http://projectbee.org
  • 18. Myth Buster • Myth: – My developers have implemented security • Reality: – Security ain’t no feature dude! It’s a metrics. Bipin Upadhyay http://projectbee.org
  • 19. Myth Buster… • Myth: – Security is a non-functional requirement • Reality: – By definition, Yes! Bipin Upadhyay http://projectbee.org
  • 20. Myth Buster… • Myth: – We use blah-blah framework. We’re safe • Reality: – Frameworks are encouraged. Human brain isn’t. Bipin Upadhyay http://projectbee.org
  • 21. Myth Buster… • Myth: – Java is secure by design • Reality: – May be! But web isn’t… nor is human brain. Bipin Upadhyay http://projectbee.org
  • 22. Myth Buster… • Myth: – SSL is secure from sniffing • Reality: – Far from it. It’s difficult for sure, though Bipin Upadhyay http://projectbee.org
  • 23. Myth Buster… • Myth: – Procedures means no SQL Injection • Reality: – Not always. Bipin Upadhyay http://projectbee.org
  • 24. Myth Buster… • Myth: – I use firewall. I am safe. • Reality: – So what? Your browser ports are open. Bipin Upadhyay http://projectbee.org
  • 25. Myth Buster… • Myth: – I use latest antivirus and my system is patched. • Reality: – Big Deal!!! Bipin Upadhyay http://projectbee.org
  • 26. Myth Buster… • Myth: – I browse net from inside a LAN. • Reality: – Urghhh! Browser dude, browser! Bipin Upadhyay http://projectbee.org
  • 27. Myth Buster… • Myth: – Human stupidity is infinite • Reality: – There you go! ☺ Bipin Upadhyay http://projectbee.org
  • 28. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 29. Injection Attacks • A form of attack where the user input manipulates the underlying platform in an undesired way. • Several variants:- – SQL Injection – Command Injection – LDAP Injection – XPATH Injection – XML Injection – JSON Injection Bipin Upadhyay http://projectbee.org
  • 30. SQL Injections Bipin Upadhyay http://projectbee.org
  • 31. XSS • OWASP Top - 10 2007 #1 • Any type of user input that is reflected back to the user without being purified. • Input can be HTML, CSS, or Javascript • Two kinds --Persistent & Non-Persistent XSS Bipin Upadhyay http://projectbee.org
  • 32. XSS… • XSS attacks include, but not limited to: – Cookie Theft & Session Hijacking – Site Defacement & Phishing – Key logging – History Theft – Port Scanning – CSRF & Web Worms – DoS-ing – … limited only by imagination Bipin Upadhyay http://projectbee.org
  • 33. CSRF • Also called Unauthorized Requests. • The server is punished/exploited for trusting the user. • CSRF is, arguably, more dangerous than XSS. • Doesn’t necessarily require javascript. • OWASP Top - 10 2007 #5, (also called the Sleeping Giant) Bipin Upadhyay http://projectbee.org
  • 34. Cookie Poisoning • Cookies sometimes store confidential data • This information can be manipulated for fun and profit. e.g., price of a product on an ecommerce site Bipin Upadhyay http://projectbee.org
  • 35. HTTP Response Splitting • Attacker splits Http Response into two. • Watch out for redirection scripts using user input in response headers • CR-LF (0x0d & 0x0a) is the key to response splitting • Web/browser cache poisoning, XSS etc. attacks possible Bipin Upadhyay http://projectbee.org
  • 36. Google Hacking • Search engines index all permissible documents inside the web tree • These data can be recovered using special queries: – site:<sitename> – inurl:<string> – intitle:<string> – filetype:<string> Bipin Upadhyay http://projectbee.org
  • 37. Scary Cracks • Credit Cards & Google • Google.com UTF-7 XSS Vulnerability • Yamanner • “Samy is my Hero” OR Samy Worm • Bank Of India Hack • GMail CSRF Vulnerability Bipin Upadhyay http://projectbee.org
  • 38. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 39. The Arsenal • A Web browser • Textbox/Textarea • Iframe • TamperData/TamperIE • WebScarab • Fuzzer (Crowbar) • Google Bipin Upadhyay http://projectbee.org
  • 40. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 41. Google Hacking • Search engines index anything and everything • Demo Bipin Upadhyay http://projectbee.org
  • 42. Exploiting Mistakes • Client side validation isn’t enough • Demo • “Clues in Codes/Comments” • Demo • Insecure implementation of “Forgot Password” feature • Demo Bipin Upadhyay http://projectbee.org
  • 43. Exploiting Mistakes… • Too verbose error messages • Demo • Cookie Isn’t for sensitive data • Demo • Brute forcing Session id • Demo Bipin Upadhyay http://projectbee.org
  • 44. Exploiting Zero Days • URI Vulnerabilities • Demo Bipin Upadhyay http://projectbee.org
  • 45. Injection Attacks • SQL Injections • Demo • Command Injection • Demo • XPATH Injection • Demo Bipin Upadhyay http://projectbee.org
  • 46. XSS Family • XSS (Cross Site Scripting) • Demo • XSS and encoding mistakes • Demo • CSRF, the sleeping Giant • Demo Bipin Upadhyay http://projectbee.org
  • 47. Http Response Splitting • Why user is evil? • Demo Bipin Upadhyay http://projectbee.org
  • 48. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 49. SDLC • Integrate security into SDLC Design Coding Testing Deployment Bipin Upadhyay http://projectbee.org
  • 50. Design Phase • Stick to standards • Encourage usage of well-proven frameworks • Prefer Whitelisting over Blacklisting • Prefer Onion Model over Garlic Model Bipin Upadhyay http://projectbee.org
  • 51. Coding Phase • Do NOT trust the user. • Do NOT rely on Client side validation. • Prefer HttpOnly Cookie to avoid cookie theft • Use nonces to prevent CSRF • Don’t just hash passwords, salt them too • Avoid too verbose/meaningful error messages Bipin Upadhyay http://projectbee.org
  • 52. Coding Phase… • Proper encoding can avoid most problems • Input Encoding – prefer UTF-8 and ISO-8859-1 – refer http://ha.ckers.org/charsets.html • Output Encoding – avoid rich html input from user – decimal encode input before displaying – refer OWASP_Encoding_Project Bipin Upadhyay http://projectbee.org
  • 53. Coding Phase… • Sanitize anything that comes from the user. Bipin Upadhyay http://projectbee.org
  • 54. Coding Phase… • Filter Metacharacters: • < %3c > %3e • | %7c ‘ %60 • & %26 ( %28 • %od %0a .. • / %2f %5c • RegEx are your friend • Use Stored Procedures • Prefer usage of bind variables in SQL statement Bipin Upadhyay http://projectbee.org
  • 55. Testing Phase • Code Auditing: – OWASP – LAPSE plugin (Java) – SPI Dynamics’ DevInspect (Java & .NET), etc. • Web Application Scanners – w3af – Watchfire AppScan – SPI Dynamics’ WebInspect, etc. • No substitute for an experienced human eye Bipin Upadhyay http://projectbee.org
  • 56. Deployment Phase • Keep out of the Web Tree; use robots.txt • Set minimal permissions • Keep the system patched & patched • Use Web Application Firewall – urlScan – ModSecurity – SecureIIS, etc. …but, most importantly Bipin Upadhyay http://projectbee.org
  • 57. Education pers. d e v el o r ate you Educ Bipin Upadhyay http://projectbee.org
  • 58. Final Words • www was designed for information exchange • Today, too much is at stake • Ignorance, no longer a bliss • Take responsibility and… Bipin Upadhyay http://projectbee.org
  • 59. Final Words… …be prepared. “Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…” –Ronald van den Heetkamp Bipin Upadhyay http://projectbee.org
  • 60. …and Finally, String.fromCharCode(84,104,97,110,107,32,89,1 11,117,33) i.e., Thank You! ☺ Bipin Upadhyay http://projectbee.org
  • 61. Acknowledgements • Lalit Patel (http://lalit.org) & Lucky (http://reboot.in) • http://flickr.com • http://flickr.com/photos/jeanetteb1/1400824517 • http://flickr.com/photos/jbhalper/334521840 • http://flickr.com/photos/hondawang/566041603 • http://flickr.com/photos/14018070@N08/1438910620 • http://flickr.com/photos/44368636@N00/76684587 • http://www.cyberpunkreview.com/images/matrixreloaded63.jpg • www.flickr.com/photos/johnengler/211482969 • http://www.flickr.com/photos/lamkevin/458083458 • http://www.flickr.com/photos/beavis/459281241 • http://flickr.com/photos/briansolis/326278887 • http://www.flickr.com/photos/focus2capture/297232107 • http://flickr.com/photos/complexify/97303317 • http://flickr.com/photos/amyking/142161588 • http://xkcd.com/327/ Bipin Upadhyay http://projectbee.org
  • 62. References • http://search.yahoo.com (To be safer) • http://0x000000.com • http://ha.ckers.org • http://sla.ckers.org • http://gnucitizen.com • XSS Attacks (Syngress Publications) • PenTesting for Web Applications (Wrox) • Hacking Exposed (Tata McGraw Hill) • 19 Deadly Sins of Sotware Security (Tata McGraw Hill) • OWASP & WASC • David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes, Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,…. ……………………………. a lot many Bipin Upadhyay http://projectbee.org
  • 63. Got Questions??? Shoot them Bipin Upadhyay http://projectbee.org