SlideShare ist ein Scribd-Unternehmen logo

Web Security: A Journey - UC San Diego

Saumil Shah
Saumil Shah

A short introduction to the root causes of security issues with web applications and HTTP.

Software
1 von 25
net-square UCSD July '15 Web Security: A Journey Saumil Shah CEO Net Square UC San Diego – 23 July 2015
net-square UCSD July '15 Saumil Shah @therealsaumil saumilshah hacker speaker trainer entrepreneur traveler photographer calligrapher kite-flyer software breaker rebel global net-square.com
net-square UCSD July '15 WE ARE HACKERS WE PUSH THE ENVELOPE WE THRIVE ON FACTS AND LOGIC.. ..AND LATERAL THINKING WE QUESTION AND CHALLENGE AND WORK ON LIMITED RESOURCES
net-square UCSD July '15 Enter the WEB
net-square UCSD July '15 HTTP •  Deliver HTML pages to browsers. •  Cross platform document delivery. •  Application independent. •  Standard markup. •  CLIENT: Web browser •  SERVER: HTTP server
net-square UCSD July '15 Web Applications WebServer App Server DB
net-square UCSD July '15 Client/Server vs. Web Apps Application Protocol Authentication Concurrent Sessions Data Representation DataValidation Business Logic Presentation HTTP Authentication Concurrent Sessions Data Representation DataValidation Business Logic Presentation
net-square UCSD July '15 Application Delivery HTTP Authentication Statefulness Data Types Data Validation CGI HTML JS AJAX Flash HTML5 Silverlight Web sockets Web workers Local storage
net-square UCSD July '15 Browser Architecture DOM HTML+CSS Javascript ActiveX mimetypes toolbars Flash libraries <div> <img> <iframe> <body> <form> <input> <table> <style> <object> <embed> <script>
net-square UCSD July '15 1995-1998
net-square UCSD July '15
net-square UCSD July '15
net-square UCSD July '15 2008-present
net-square UCSD July '15 A Revival
net-square UCSD July '15 What shall your response be? GET / HTTP/1.0 GET /nonexist.ent HTTP/1.0
net-square UCSD July '15 What shall your response be? ZOMFG / HTTP/1.0 GET / HTTP/3.0 GET / JUNK/1.0
net-square UCSD July '15 The responders Test Apache Microsoft IIS SunONE GET / HTTP/1.0 200 200 200 GET /nonexist.ent HTTP/1.0 404 404 404 DELETE / HTTP/1.0 405 403 401 GET / HTTP/3.0 400 200 505 GET / JUNK/1.0 200 400 none
net-square UCSD July '15 x=hello&x=world •  A: "hello" •  B: "world" •  C: "hello, world" •  D: WTF
net-square UCSD July '15 x=hello&x=world Web Server Value of x Apache "world" IBM HTTP Server "hello" Domino "world" IIS "hello, world" Tomcat "hello" Python/Zope Array ['hello', 'world']
net-square UCSD July '15 Sources of Software Errors User Input Race Condition Environment Resource Exhaustion
net-square UCSD July '15 The "banana" test I CAN HAZ BANANA?
net-square UCSD July '15 Circle of HTTP Trust Your Users
net-square UCSD July '15 The user's going to pick dancing pigs over security every time. Bruce Schneier
net-square UCSD July '15 Technology in the hands of users
net-square UCSD July '15 Thank You... Questions? saumil@net-square.com @therealsaumil

Empfohlen

Rackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John Engates
Rackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John EngatesRackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John Engates
Rackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John EngatesRackspace
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
Alhuda CIBE - Musharaka by Muhammad Zubair Usmani
Alhuda CIBE - Musharaka by Muhammad Zubair Usmani Alhuda CIBE - Musharaka by Muhammad Zubair Usmani
Alhuda CIBE - Musharaka by Muhammad Zubair Usmani Alhuda Centre of Islamic Banking & Economics
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 

Empfohlen

Rackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John Engates
Rackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John EngatesRackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John Engates
Rackspace::Solve NYC - Welcome Keynote featuring Rackspace CTO John EngatesRackspace
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
Alhuda CIBE - Musharaka by Muhammad Zubair Usmani
Alhuda CIBE - Musharaka by Muhammad Zubair Usmani Alhuda CIBE - Musharaka by Muhammad Zubair Usmani
Alhuda CIBE - Musharaka by Muhammad Zubair Usmani Alhuda Centre of Islamic Banking & Economics
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALCSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALSatchit Dokras
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
Defending your workloads against the next zero-day vulnerability 
Defending your workloads against the next zero-day vulnerability Defending your workloads against the next zero-day vulnerability 
Defending your workloads against the next zero-day vulnerability Amazon Web Services
 
Building a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotBuilding a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotAltinity Ltd
 
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...Altinity Ltd
 
Q315 citi-conf-090915
Q315 citi-conf-090915Q315 citi-conf-090915
Q315 citi-conf-090915sandisk2015
 
Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Amazon Web Services
 
DPR202 Open Data for the Open Web
DPR202 Open Data for the Open WebDPR202 Open Data for the Open Web
DPR202 Open Data for the Open WebRonald Widha
 
itSMF Spanish Conference Deck
itSMF Spanish Conference Deck itSMF Spanish Conference Deck
itSMF Spanish Conference Deck Robert Stroud
 
itSMF Espana presentation
itSMF Espana presentationitSMF Espana presentation
itSMF Espana presentationRobert Stroud
 
Adding Realtime to your Projects
Adding Realtime to your ProjectsAdding Realtime to your Projects
Adding Realtime to your ProjectsIgnacio Martín
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksAmazon Web Services
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsAmazon Web Services
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsAmazon Web Services
 
AWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAmazon Web Services
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
AWS Summit Canberra Keynote 2016
AWS Summit Canberra Keynote 2016AWS Summit Canberra Keynote 2016
AWS Summit Canberra Keynote 2016Amazon Web Services
 
Web application I have always dreamt of
Web application I have always dreamt ofWeb application I have always dreamt of
Web application I have always dreamt ofVictor_Cr
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure ProtectionPriyanka Aash
 
Managing microservices with istio on OpenShift - Meetup
Managing microservices with istio on OpenShift - MeetupManaging microservices with istio on OpenShift - Meetup
Managing microservices with istio on OpenShift - MeetupJosé Román Martín Gil
 
The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 

Weitere ähnliche Inhalte

Ähnlich wie Web Security: A Journey - UC San Diego

CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALCSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALSatchit Dokras
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
Defending your workloads against the next zero-day vulnerability 
Defending your workloads against the next zero-day vulnerability Defending your workloads against the next zero-day vulnerability 
Defending your workloads against the next zero-day vulnerability Amazon Web Services
 
Building a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotBuilding a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotAltinity Ltd
 
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...Altinity Ltd
 
Q315 citi-conf-090915
Q315 citi-conf-090915Q315 citi-conf-090915
Q315 citi-conf-090915sandisk2015
 
Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Amazon Web Services
 
DPR202 Open Data for the Open Web
DPR202 Open Data for the Open WebDPR202 Open Data for the Open Web
DPR202 Open Data for the Open WebRonald Widha
 
itSMF Spanish Conference Deck
itSMF Spanish Conference Deck itSMF Spanish Conference Deck
itSMF Spanish Conference Deck Robert Stroud
 
itSMF Espana presentation
itSMF Espana presentationitSMF Espana presentation
itSMF Espana presentationRobert Stroud
 
Adding Realtime to your Projects
Adding Realtime to your ProjectsAdding Realtime to your Projects
Adding Realtime to your ProjectsIgnacio Martín
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksAmazon Web Services
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsAmazon Web Services
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsAmazon Web Services
 
AWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAmazon Web Services
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
AWS Summit Canberra Keynote 2016
AWS Summit Canberra Keynote 2016AWS Summit Canberra Keynote 2016
AWS Summit Canberra Keynote 2016Amazon Web Services
 
Web application I have always dreamt of
Web application I have always dreamt ofWeb application I have always dreamt of
Web application I have always dreamt ofVictor_Cr
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure ProtectionPriyanka Aash
 
Managing microservices with istio on OpenShift - Meetup
Managing microservices with istio on OpenShift - MeetupManaging microservices with istio on OpenShift - Meetup
Managing microservices with istio on OpenShift - MeetupJosé Román Martín Gil
 

Ähnlich wie Web Security: A Journey - UC San Diego (20)

CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALCSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWS
 
Defending your workloads against the next zero-day vulnerability 
Defending your workloads against the next zero-day vulnerability Defending your workloads against the next zero-day vulnerability 
Defending your workloads against the next zero-day vulnerability 
 
Building a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache PinotBuilding a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
Building a Real-Time Analytics Application with Apache Pulsar and Apache Pinot
 
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...
OSA Con 2022 - Building a Real-time Analytics Application with Apache Pulsar ...
 
Q315 citi-conf-090915
Q315 citi-conf-090915Q315 citi-conf-090915
Q315 citi-conf-090915
 
Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud
 
DPR202 Open Data for the Open Web
DPR202 Open Data for the Open WebDPR202 Open Data for the Open Web
DPR202 Open Data for the Open Web
 
itSMF Spanish Conference Deck
itSMF Spanish Conference Deck itSMF Spanish Conference Deck
itSMF Spanish Conference Deck
 
itSMF Espana presentation
itSMF Espana presentationitSMF Espana presentation
itSMF Espana presentation
 
Adding Realtime to your Projects
Adding Realtime to your ProjectsAdding Realtime to your Projects
Adding Realtime to your Projects
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech Talks
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services Patterns
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services Patterns
 
AWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLI
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
AWS Summit Canberra Keynote 2016
AWS Summit Canberra Keynote 2016AWS Summit Canberra Keynote 2016
AWS Summit Canberra Keynote 2016
 
Web application I have always dreamt of
Web application I have always dreamt ofWeb application I have always dreamt of
Web application I have always dreamt of
 
For Critical Infrastructure Protection
For Critical Infrastructure ProtectionFor Critical Infrastructure Protection
For Critical Infrastructure Protection
 
Managing microservices with istio on OpenShift - Meetup
Managing microservices with istio on OpenShift - MeetupManaging microservices with istio on OpenShift - Meetup
Managing microservices with istio on OpenShift - Meetup
 

Mehr von Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

Mehr von Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Kürzlich hochgeladen

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Kürzlich hochgeladen (20)

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

Web Security: A Journey - UC San Diego

  • 1. net-square UCSD July '15 Web Security: A Journey Saumil Shah CEO Net Square UC San Diego – 23 July 2015
  • 2. net-square UCSD July '15 Saumil Shah @therealsaumil saumilshah hacker speaker trainer entrepreneur traveler photographer calligrapher kite-flyer software breaker rebel global net-square.com
  • 3. net-square UCSD July '15 WE ARE HACKERS WE PUSH THE ENVELOPE WE THRIVE ON FACTS AND LOGIC.. ..AND LATERAL THINKING WE QUESTION AND CHALLENGE AND WORK ON LIMITED RESOURCES
  • 4. net-square UCSD July '15 Enter the WEB
  • 5. net-square UCSD July '15 HTTP •  Deliver HTML pages to browsers. •  Cross platform document delivery. •  Application independent. •  Standard markup. •  CLIENT: Web browser •  SERVER: HTTP server
  • 6. net-square UCSD July '15 Web Applications WebServer App Server DB
  • 7. net-square UCSD July '15 Client/Server vs. Web Apps Application Protocol Authentication Concurrent Sessions Data Representation DataValidation Business Logic Presentation HTTP Authentication Concurrent Sessions Data Representation DataValidation Business Logic Presentation
  • 8. net-square UCSD July '15 Application Delivery HTTP Authentication Statefulness Data Types Data Validation CGI HTML JS AJAX Flash HTML5 Silverlight Web sockets Web workers Local storage
  • 9. net-square UCSD July '15 Browser Architecture DOM HTML+CSS Javascript ActiveX mimetypes toolbars Flash libraries <div> <img> <iframe> <body> <form> <input> <table> <style> <object> <embed> <script>
  • 10. net-square UCSD July '15 1995-1998
  • 13. net-square UCSD July '15 2008-present
  • 14. net-square UCSD July '15 A Revival
  • 15. net-square UCSD July '15 What shall your response be? GET / HTTP/1.0 GET /nonexist.ent HTTP/1.0
  • 16. net-square UCSD July '15 What shall your response be? ZOMFG / HTTP/1.0 GET / HTTP/3.0 GET / JUNK/1.0
  • 17. net-square UCSD July '15 The responders Test Apache Microsoft IIS SunONE GET / HTTP/1.0 200 200 200 GET /nonexist.ent HTTP/1.0 404 404 404 DELETE / HTTP/1.0 405 403 401 GET / HTTP/3.0 400 200 505 GET / JUNK/1.0 200 400 none
  • 18. net-square UCSD July '15 x=hello&x=world •  A: "hello" •  B: "world" •  C: "hello, world" •  D: WTF
  • 19. net-square UCSD July '15 x=hello&x=world Web Server Value of x Apache "world" IBM HTTP Server "hello" Domino "world" IIS "hello, world" Tomcat "hello" Python/Zope Array ['hello', 'world']
  • 20. net-square UCSD July '15 Sources of Software Errors User Input Race Condition Environment Resource Exhaustion
  • 21. net-square UCSD July '15 The "banana" test I CAN HAZ BANANA?
  • 22. net-square UCSD July '15 Circle of HTTP Trust Your Users
  • 23. net-square UCSD July '15 The user's going to pick dancing pigs over security every time. Bruce Schneier
  • 24. net-square UCSD July '15 Technology in the hands of users
  • 25. net-square UCSD July '15 Thank You... Questions? saumil@net-square.com @therealsaumil