SlideShare ist ein Scribd-Unternehmen logo

Web security 101

Kristaps Kūlis
Kristaps Kūlis
1 von 32
Downloaden Sie, um offline zu lesen
Net security 101 Internet is hostile network Kristaps Kūlis
“Real” security ● Security trough security, not obscurity House secured by door keys, not by putting doors on roof. ● Ongoing process
Web applications Be conservative in what you do; be liberal in what you accept from others /Postel's law/
SQL injection
SQL injections ● Creating queries by string concatenation is “the wrong way” ● MySQL don't do multiple queries. ● Let DB do validation - use parametrized queries ● ORM frameworks lift the burden ● It is easy to forget to validate inline SQL somewhere
XSS
XSS ● Escape HTML/JS/XML special characters on output ● Vulnerability can exist on client side (JS). ● It can get hairy with JS, AJAX, JSONP etc ...
CSRF <img src=”http://www.bank.lv/pay?to=kristaps&amount=100” /> ● Third party unauthorized request to web site ● Include unique token into each response and validate on request. ● Never update data with GET
Storing passwords ● Do not expose DB / other credentials ● MD5 is too “cheap”. SHA1 is not “expensive enough” ● Make hash functions slow. ● Multiple iterations ● Bcrypt
Authorization vs Authentication Autentication: authenticating user credentials. Usually done once per session. Authorization: checks that user is authorized to do particular action. Must be done on every request.
Session fixation ● Session cookie stealing / guessing ● Initialize sessions ● Tie sessions to IP address / User Agent ● Expire / invalidate sessions.
PHP specific problems
register_globals ~50% of open source PHP app vulnerabilities works only when register_globals are on
safe_mode Wrong place, wrong solution
magic_quotes Gives false sense of security and no real protection
display_errors Gives away too much information Log your errors, do not display them
One .php file as one script PHP engine has no “application” concept. Class files, configuration files, etc should not be executable … ...everything that is not .php by default is dumped as plaintext in browser
include and require accepts URLs as parameters Remote code injection made dead easy If you disable remote_url_fopen, you cannot open any URL (without CURL)
All these settings should be disabled by default On most hosting servers they are not
Server security enviroment matters
TLS (SSL) ● Public-Private key infrastructure ● Server verification and data encryption ● Ultimate trust to Certificate Authorities (CA) ● Don't use self-signed certificates. Roll out your own CA .
Secure / insecure protocols ● HTTP sends all information in plaintext ● So does FTP/IMAP/POP3/STMP ● Use HTTPS / SFTP / IMAPs / POP3s / STMP over TLS ● DNS is built on trust. DNSSEC is not (yet) working.
[D]DoS ● DoS – “million” requests from one client ● DDoS – “zillion” requests from “million” clients ● Handle DoS at firewall level. ● Try to survive DDoS at router level.
Shared hosting ● Easy, fast, secure – pick two ● “Jail” each site ● Selinux / AppArmor to rescue ● IDS / mod_security is slow ● Test backups.
Real life 100% secure system Slide intentionally left blank
Personal security weakest chain link
Passwords Passwords are like underwear. You don't share them and you change them often. KeepassX
Think ● Don't use plaintext protocols over open WiFi ● Secure your home router ● Check URLs and filenames ● Malware doesn't expose itself anymore ● Botnet ● Information stealing ● Avoid buggy and insecure software (flash and acrobat reader).
Securing digital communication ● Skype is sort-of secure ● PGP ● S/MIME
Handling incidents ● Not all hackers all bad ● Preserve evidence ● Presume that attacker obtained maximum information. ● System is compromised ● Eliminate attack vectors ● Offline backups help.
Questions ?
Futher reading ● www.owasp.org – knowledge ● www.cert.lv – Latvia netsecurity team Books ● Stealing the Network: How to Own the Box by R. Russel – hacking “fiction” book. ● Art of Deception by Kevin Mitnick – hacker “memoirs”

Empfohlen

Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitationegypt
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsRob Fuller
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Offensive Security with Metasploit
Offensive Security with MetasploitOffensive Security with Metasploit
Offensive Security with Metasploitegypt
 
Sec 101
Sec 101Sec 101
Sec 101Diego Pacheco
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 

Empfohlen

Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider
 
Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitationegypt
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
KiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's AssetsRob Fuller
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Offensive Security with Metasploit
Offensive Security with MetasploitOffensive Security with Metasploit
Offensive Security with Metasploitegypt
 
Sec 101
Sec 101Sec 101
Sec 101Diego Pacheco
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
The magic of ettercap
The magic of ettercapThe magic of ettercap
The magic of ettercapn|u - The Open Security Community
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness trainingSumedt Jitpukdebodin
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
CloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudflare
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to HeroOWASP Khartoum
 
already-0wned
already-0wnedalready-0wned
already-0wnedegypt
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015Adam Baldwin
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraCysinfo Cyber Security Community
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community
 
JI
JIJI
JIMike Hamilton, CEH, MCAD
 
As Tendências de Marketing Digital para 2016
As Tendências de Marketing Digital para 2016As Tendências de Marketing Digital para 2016
As Tendências de Marketing Digital para 2016Éber Gustavo
 

Weitere ähnliche Inhalte

Was ist angesagt?

Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Nick Sullivan
 
CloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudflare
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to HeroOWASP Khartoum
 
already-0wned
already-0wnedalready-0wned
already-0wnedegypt
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 

Was ist angesagt? (20)

The magic of ettercap
The magic of ettercapThe magic of ettercap
The magic of ettercap
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
 
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
Running Secure Server Software on Insecure Hardware without a Parachute - RSA...
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
 
CloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - Webinar
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to Hero
 
already-0wned
already-0wnedalready-0wned
already-0wned
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 

Andere mochten auch

As Tendências de Marketing Digital para 2016
As Tendências de Marketing Digital para 2016As Tendências de Marketing Digital para 2016
As Tendências de Marketing Digital para 2016Éber Gustavo
 
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, Sosa
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, SosaINTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, Sosa
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, SosaEomar58
 
Act2 lfcf
Act2 lfcfAct2 lfcf
Act2 lfcfEomar58
 
Libre office examen
Libre office examenLibre office examen
Libre office examenMilen Ita
 
Atc3 Equipo 1
Atc3 Equipo 1Atc3 Equipo 1
Atc3 Equipo 1Eomar58
 
José eloy alfaro delgado
José eloy alfaro delgadoJosé eloy alfaro delgado
José eloy alfaro delgadoJhonatan SO
 
Embedding Testing 2015
Embedding Testing 2015Embedding Testing 2015
Embedding Testing 2015Georg Lohrer
 

Andere mochten auch (15)

JI
JIJI
JI
 
As Tendências de Marketing Digital para 2016
As Tendências de Marketing Digital para 2016As Tendências de Marketing Digital para 2016
As Tendências de Marketing Digital para 2016
 
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, Sosa
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, SosaINTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, Sosa
INTB3 Cruz, Bermejo, Salazar, Cuara, Gonzales, Sosa
 
Al estar aqui
Al estar aquiAl estar aqui
Al estar aqui
 
Act2 lfcf
Act2 lfcfAct2 lfcf
Act2 lfcf
 
Libre office examen
Libre office examenLibre office examen
Libre office examen
 
RCS Catalog 2015 web
RCS Catalog 2015 webRCS Catalog 2015 web
RCS Catalog 2015 web
 
Atc3 Equipo 1
Atc3 Equipo 1Atc3 Equipo 1
Atc3 Equipo 1
 
José eloy alfaro delgado
José eloy alfaro delgadoJosé eloy alfaro delgado
José eloy alfaro delgado
 
Embedding Testing 2015
Embedding Testing 2015Embedding Testing 2015
Embedding Testing 2015
 
Adorare tu cuerpo_herido
Adorare tu cuerpo_heridoAdorare tu cuerpo_herido
Adorare tu cuerpo_herido
 
Entregame tu corazon
Entregame tu corazonEntregame tu corazon
Entregame tu corazon
 
Alma de cristo
Alma de cristoAlma de cristo
Alma de cristo
 
Lectores enero 2017
Lectores enero 2017Lectores enero 2017
Lectores enero 2017
 
Decoramos el colegio San Pedro para Halloween
Decoramos el colegio San Pedro para HalloweenDecoramos el colegio San Pedro para Halloween
Decoramos el colegio San Pedro para Halloween
 

Ähnlich wie Web security 101

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemyPROIDEA
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Security concepts
Security conceptsSecurity concepts
Security conceptsartisriva
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101Niall Merrigan
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection featuresMariaDB plc
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 

Ähnlich wie Web security 101 (20)

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Web Security
Web SecurityWeb Security
Web Security
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and Coders
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Security concepts
Security conceptsSecurity concepts
Security concepts
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection features
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 

Web security 101

  • 1. Net security 101 Internet is hostile network Kristaps Kūlis
  • 2. “Real” security ● Security trough security, not obscurity House secured by door keys, not by putting doors on roof. ● Ongoing process
  • 3. Web applications Be conservative in what you do; be liberal in what you accept from others /Postel's law/
  • 5. SQL injections ● Creating queries by string concatenation is “the wrong way” ● MySQL don't do multiple queries. ● Let DB do validation - use parametrized queries ● ORM frameworks lift the burden ● It is easy to forget to validate inline SQL somewhere
  • 6. XSS
  • 7. XSS ● Escape HTML/JS/XML special characters on output ● Vulnerability can exist on client side (JS). ● It can get hairy with JS, AJAX, JSONP etc ...
  • 8. CSRF <img src=”http://www.bank.lv/pay?to=kristaps&amount=100” /> ● Third party unauthorized request to web site ● Include unique token into each response and validate on request. ● Never update data with GET
  • 9. Storing passwords ● Do not expose DB / other credentials ● MD5 is too “cheap”. SHA1 is not “expensive enough” ● Make hash functions slow. ● Multiple iterations ● Bcrypt
  • 10. Authorization vs Authentication Autentication: authenticating user credentials. Usually done once per session. Authorization: checks that user is authorized to do particular action. Must be done on every request.
  • 11. Session fixation ● Session cookie stealing / guessing ● Initialize sessions ● Tie sessions to IP address / User Agent ● Expire / invalidate sessions.
  • 13. register_globals ~50% of open source PHP app vulnerabilities works only when register_globals are on
  • 15. magic_quotes Gives false sense of security and no real protection
  • 16. display_errors Gives away too much information Log your errors, do not display them
  • 17. One .php file as one script PHP engine has no “application” concept. Class files, configuration files, etc should not be executable … ...everything that is not .php by default is dumped as plaintext in browser
  • 18. include and require accepts URLs as parameters Remote code injection made dead easy If you disable remote_url_fopen, you cannot open any URL (without CURL)
  • 19. All these settings should be disabled by default On most hosting servers they are not
  • 20. Server security enviroment matters
  • 21. TLS (SSL) ● Public-Private key infrastructure ● Server verification and data encryption ● Ultimate trust to Certificate Authorities (CA) ● Don't use self-signed certificates. Roll out your own CA .
  • 22. Secure / insecure protocols ● HTTP sends all information in plaintext ● So does FTP/IMAP/POP3/STMP ● Use HTTPS / SFTP / IMAPs / POP3s / STMP over TLS ● DNS is built on trust. DNSSEC is not (yet) working.
  • 23. [D]DoS ● DoS – “million” requests from one client ● DDoS – “zillion” requests from “million” clients ● Handle DoS at firewall level. ● Try to survive DDoS at router level.
  • 24. Shared hosting ● Easy, fast, secure – pick two ● “Jail” each site ● Selinux / AppArmor to rescue ● IDS / mod_security is slow ● Test backups.
  • 25. Real life 100% secure system Slide intentionally left blank
  • 26. Personal security weakest chain link
  • 27. Passwords Passwords are like underwear. You don't share them and you change them often. KeepassX
  • 28. Think ● Don't use plaintext protocols over open WiFi ● Secure your home router ● Check URLs and filenames ● Malware doesn't expose itself anymore ● Botnet ● Information stealing ● Avoid buggy and insecure software (flash and acrobat reader).
  • 29. Securing digital communication ● Skype is sort-of secure ● PGP ● S/MIME
  • 30. Handling incidents ● Not all hackers all bad ● Preserve evidence ● Presume that attacker obtained maximum information. ● System is compromised ● Eliminate attack vectors ● Offline backups help.
  • 32. Futher reading ● www.owasp.org – knowledge ● www.cert.lv – Latvia netsecurity team Books ● Stealing the Network: How to Own the Box by R. Russel – hacking “fiction” book. ● Art of Deception by Kevin Mitnick – hacker “memoirs”