SlideShare ist ein Scribd-Unternehmen logo

Application security overview

Als PPTX, PDF herunterladen
Dilan Warnakulasooriya
Dilan Warnakulasooriya

Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.

Technologie
1 von 34
Application Security Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology 1/1/2013 99X Technology(c) 1
Basics of Application Security • HTTP and HTTPS • Symmetric key • Asymmetric key • Session key • Analyzing a certificate • Sniffing HTTP and HTTPS • Calomel plugin 1/1/2013 99X Technology(c) 2
Basics of Application Security • Man in the middle • Analyzing browser requests • Analyzing server response • https communication • https and s-http 1/1/2013 99X Technology(c) 3
Basics of Application Security • What OWASP does • Builders , Breakers and Defenders 1/1/2013 99X Technology(c) 4
Web Application penetration testing • Basic web testing methodology • Vulnerability, Threat and Exploit • Developer level application security overview 1/1/2013 99X Technology(c) 5
Web Application penetration testing • Application Security frameworks • Before development begins • During definition and design • During development • During deployment • Maintenance and operations 1/1/2013 99X Technology(c) 6
Web Application penetration testing • Web application security review frameworks • Samurai WTF • Websecurify • Wapiti • Skiffish • Acunetix • Webscarab • W3af 1/1/2013 99X Technology(c) 7
Secure Authentication • Authentication/Access control methods 1/1/2013 99X Technology(c) 8
Secure Authentication • Authentication bypass techniques • Direct page request • Parameter modification • Session ID prediction • Sql injection Session predictability - webscarab/burpsuite 1/1/2013 99X Technology(c) 9
Secure Authentication • Bypass authentication matrix • Basic authentication • Multi-Level login 1 • Multi-Level login 2 1/1/2013 99X Technology(c) 10
Secure Authentication • Password remember • Password strength • Forgot password • Browser cache management 1/1/2013 99X Technology(c) 11
Secure Authentication • Parameter tampering • Bypass HTML Field restrictions • Exploit hidden fields • Bypass client side JavaScript validation • Coding controls for Parameter Tampering 1/1/2013 99X Technology(c) 12
Secure Authentication • Access control flaws • Using an Access control matrix • Bypass a path based access control scheme • Bypass data layer access control 1/1/2013 99X Technology(c) 13
Injections • SQL injection classes • In band • Out of band • Inferential 1/1/2013 99X Technology(c) 14
Injections • Techniques to exploit sql injections • Union operator • Boolean • Error based • Out of band • Time delay 1/1/2013 99X Technology(c) 15
Injections • Standard SQL injection testing • SELECT * FROM Users WHERE Username='$username' AND Password='$password' • Numeric sql injection 1/1/2013 99X Technology(c) 16
Injections • Union Exploitation technique • Xpath injection • String sql injection 1/1/2013 99X Technology(c) 17
Injections • Boolean Exploitation technique • Sql injection : stage 1 : String sql injection • Stage 3 : Numeric sql injection 1/1/2013 99X Technology(c) 18
Injections • Error based Exploitation technique • Modify data with sql injection • Add data with sql injection 1/1/2013 99X Technology(c) 19
Injections • Out of band Exploitation technique 1/1/2013 99X Technology(c) 20
Injections • Time delay Exploitation technique • Stored procedure Exploitation technique • Automated Exploitation technique 1/1/2013 99X Technology(c) 21
Injections • How developers work on SQL injection • Automate your injection • sqlmap 1/1/2013 99X Technology(c) 22
Session Management • Session management techniques • Session management vulnerability • insufficient session id length • Session fixation • Session variable overloading 1/1/2013 99X Technology(c) 23
Session Management • Check your cookies • Cookie collection • Cookie reverse engineering • Cookie manipulation • Hijack a session • Hijack a session • Spoof an authentication cookie • Session fixation 1/1/2013 99X Technology(c) 24
Session Management • How developers work on session handling 1/1/2013 99X Technology(c) 25
Code Quality • Code quality breach • Discover clues in the HTML 1/1/2013 99X Technology(c) 26
Cross Site Scripting • Scripting types • Reflected cross site scripting (non-persistent XSS) • Stored cross site scripting (second-order XSS) • DOM based cross site scripting (type 0 xss) 1/1/2013 99X Technology(c) 27
Cross Site Scripting • Reflected cross site scripting (non-persistent XSS) • Testing for reflected XSS • Reflected xss 1/1/2013 99X Technology(c) 28
Cross Site Scripting • Bypass XSS filters • Tag Attribute Value • Different syntax or enconding • Bypassing non-recursive filtering 1/1/2013 99X Technology(c) 29
Cross Site Scripting • Stored cross site scripting (second-order XSS) • XSS attack scenario • Stored XSS 1/1/2013 99X Technology(c) 30
Cross Site Scripting • Testing for Stored cross site scripting • Input forms • Analyze HTML code • Exploitation framework • File upload 1/1/2013 99X Technology(c) 31
Cross Site Scripting • How developer handle XSS and CSRF 1/1/2013 99X Technology(c) 32
Testing Tools • Proxy • How to write secure programs 1/1/2013 99X Technology(c) 33
Thank you 1/1/2013 99X Technology(c) 34

Empfohlen

Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
webscarab
webscarabwebscarab
webscarabDilan Warnakulasooriya
 
Application security overview
Application security overviewApplication security overview
Application security overviewDilan Warnakulasooriya
 
Session Hijacking
Session HijackingSession Hijacking
Session HijackingDilan Warnakulasooriya
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 
Sql injection
Sql injectionSql injection
Sql injectionDilan Warnakulasooriya
 
CSRF
CSRFCSRF
CSRFDilan Warnakulasooriya
 
Secure coding
Secure codingSecure coding
Secure codingDilan Warnakulasooriya
 

Empfohlen

Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
webscarab
webscarabwebscarab
webscarabDilan Warnakulasooriya
 
Application security overview
Application security overviewApplication security overview
Application security overviewDilan Warnakulasooriya
 
Session Hijacking
Session HijackingSession Hijacking
Session HijackingDilan Warnakulasooriya
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 
Sql injection
Sql injectionSql injection
Sql injectionDilan Warnakulasooriya
 
CSRF
CSRFCSRF
CSRFDilan Warnakulasooriya
 
Secure coding
Secure codingSecure coding
Secure codingDilan Warnakulasooriya
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
tcp cloud in AVG
tcp cloud in AVGtcp cloud in AVG
tcp cloud in AVGtcp cloud
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering PresentationRobert-Emmanuel Mayssat
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxingNick Straughan
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptxJhansigali
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Trupti Shiralkar, CISSP
 
Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Cheah Eng Soon
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesMarketingArrowECS_CZ
 
Isse 2014 homomorphic encryption and porticor post event
Isse 2014 homomorphic encryption and porticor post eventIsse 2014 homomorphic encryption and porticor post event
Isse 2014 homomorphic encryption and porticor post eventICT Economic Impact
 
Security for developers
Security for developersSecurity for developers
Security for developersAbdelrhman Shawky
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments DevOps.com
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...ouahibakellou
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOpsSalesforce Engineering
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Weitere ähnliche Inhalte

Ähnlich wie Application security overview

Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
tcp cloud in AVG
tcp cloud in AVGtcp cloud in AVG
tcp cloud in AVGtcp cloud
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptxJhansigali
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Trupti Shiralkar, CISSP
 
Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Cheah Eng Soon
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesMarketingArrowECS_CZ
 
Isse 2014 homomorphic encryption and porticor post event
Isse 2014 homomorphic encryption and porticor post eventIsse 2014 homomorphic encryption and porticor post event
Isse 2014 homomorphic encryption and porticor post eventICT Economic Impact
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments DevOps.com
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...ouahibakellou
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 

Ähnlich wie Application security overview (20)

Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
tcp cloud in AVG
tcp cloud in AVGtcp cloud in AVG
tcp cloud in AVG
 
QNX Sales Engineering Presentation
QNX Sales Engineering PresentationQNX Sales Engineering Presentation
QNX Sales Engineering Presentation
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptx
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
Application Security - 28 Nov 2018
Application Security - 28 Nov 2018Application Security - 28 Nov 2018
Application Security - 28 Nov 2018
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG Technologies
 
Isse 2014 homomorphic encryption and porticor post event
Isse 2014 homomorphic encryption and porticor post eventIsse 2014 homomorphic encryption and porticor post event
Isse 2014 homomorphic encryption and porticor post event
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...java-card20232024999999999999999999999999999999999999999999999999999999999999...
java-card20232024999999999999999999999999999999999999999999999999999999999999...
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 

Kürzlich hochgeladen

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Kürzlich hochgeladen (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Application security overview

  • 1. Application Security Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology 1/1/2013 99X Technology(c) 1
  • 2. Basics of Application Security • HTTP and HTTPS • Symmetric key • Asymmetric key • Session key • Analyzing a certificate • Sniffing HTTP and HTTPS • Calomel plugin 1/1/2013 99X Technology(c) 2
  • 3. Basics of Application Security • Man in the middle • Analyzing browser requests • Analyzing server response • https communication • https and s-http 1/1/2013 99X Technology(c) 3
  • 4. Basics of Application Security • What OWASP does • Builders , Breakers and Defenders 1/1/2013 99X Technology(c) 4
  • 5. Web Application penetration testing • Basic web testing methodology • Vulnerability, Threat and Exploit • Developer level application security overview 1/1/2013 99X Technology(c) 5
  • 6. Web Application penetration testing • Application Security frameworks • Before development begins • During definition and design • During development • During deployment • Maintenance and operations 1/1/2013 99X Technology(c) 6
  • 7. Web Application penetration testing • Web application security review frameworks • Samurai WTF • Websecurify • Wapiti • Skiffish • Acunetix • Webscarab • W3af 1/1/2013 99X Technology(c) 7
  • 8. Secure Authentication • Authentication/Access control methods 1/1/2013 99X Technology(c) 8
  • 9. Secure Authentication • Authentication bypass techniques • Direct page request • Parameter modification • Session ID prediction • Sql injection Session predictability - webscarab/burpsuite 1/1/2013 99X Technology(c) 9
  • 10. Secure Authentication • Bypass authentication matrix • Basic authentication • Multi-Level login 1 • Multi-Level login 2 1/1/2013 99X Technology(c) 10
  • 11. Secure Authentication • Password remember • Password strength • Forgot password • Browser cache management 1/1/2013 99X Technology(c) 11
  • 12. Secure Authentication • Parameter tampering • Bypass HTML Field restrictions • Exploit hidden fields • Bypass client side JavaScript validation • Coding controls for Parameter Tampering 1/1/2013 99X Technology(c) 12
  • 13. Secure Authentication • Access control flaws • Using an Access control matrix • Bypass a path based access control scheme • Bypass data layer access control 1/1/2013 99X Technology(c) 13
  • 14. Injections • SQL injection classes • In band • Out of band • Inferential 1/1/2013 99X Technology(c) 14
  • 15. Injections • Techniques to exploit sql injections • Union operator • Boolean • Error based • Out of band • Time delay 1/1/2013 99X Technology(c) 15
  • 16. Injections • Standard SQL injection testing • SELECT * FROM Users WHERE Username='$username' AND Password='$password' • Numeric sql injection 1/1/2013 99X Technology(c) 16
  • 17. Injections • Union Exploitation technique • Xpath injection • String sql injection 1/1/2013 99X Technology(c) 17
  • 18. Injections • Boolean Exploitation technique • Sql injection : stage 1 : String sql injection • Stage 3 : Numeric sql injection 1/1/2013 99X Technology(c) 18
  • 19. Injections • Error based Exploitation technique • Modify data with sql injection • Add data with sql injection 1/1/2013 99X Technology(c) 19
  • 20. Injections • Out of band Exploitation technique 1/1/2013 99X Technology(c) 20
  • 21. Injections • Time delay Exploitation technique • Stored procedure Exploitation technique • Automated Exploitation technique 1/1/2013 99X Technology(c) 21
  • 22. Injections • How developers work on SQL injection • Automate your injection • sqlmap 1/1/2013 99X Technology(c) 22
  • 23. Session Management • Session management techniques • Session management vulnerability • insufficient session id length • Session fixation • Session variable overloading 1/1/2013 99X Technology(c) 23
  • 24. Session Management • Check your cookies • Cookie collection • Cookie reverse engineering • Cookie manipulation • Hijack a session • Hijack a session • Spoof an authentication cookie • Session fixation 1/1/2013 99X Technology(c) 24
  • 25. Session Management • How developers work on session handling 1/1/2013 99X Technology(c) 25
  • 26. Code Quality • Code quality breach • Discover clues in the HTML 1/1/2013 99X Technology(c) 26
  • 27. Cross Site Scripting • Scripting types • Reflected cross site scripting (non-persistent XSS) • Stored cross site scripting (second-order XSS) • DOM based cross site scripting (type 0 xss) 1/1/2013 99X Technology(c) 27
  • 28. Cross Site Scripting • Reflected cross site scripting (non-persistent XSS) • Testing for reflected XSS • Reflected xss 1/1/2013 99X Technology(c) 28
  • 29. Cross Site Scripting • Bypass XSS filters • Tag Attribute Value • Different syntax or enconding • Bypassing non-recursive filtering 1/1/2013 99X Technology(c) 29
  • 30. Cross Site Scripting • Stored cross site scripting (second-order XSS) • XSS attack scenario • Stored XSS 1/1/2013 99X Technology(c) 30
  • 31. Cross Site Scripting • Testing for Stored cross site scripting • Input forms • Analyze HTML code • Exploitation framework • File upload 1/1/2013 99X Technology(c) 31
  • 32. Cross Site Scripting • How developer handle XSS and CSRF 1/1/2013 99X Technology(c) 32
  • 33. Testing Tools • Proxy • How to write secure programs 1/1/2013 99X Technology(c) 33
  • 34. Thank you 1/1/2013 99X Technology(c) 34