SlideShare uma empresa Scribd logo

Web application security

Akash Mahajan
Akash Mahajan
Tecnologia
1 de 9
Baixar para ler offline
Web Application Security Firewalls will not be able to protect you Akash Mahajan – Chapter Lead for null Bangalore
What should keep you up at night • 95% of attacks are against “Web Servers and Web Applications” aka Websites • The top 3 verticals compromised were Financial Services, Hospitality and Retail. • More than 60% of attacks were caused by external agents. • Primary attack vector was SQL Injection and was used to install customized malware. • Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
Web App Attacks • SQL Injection Attacks • Number plate to foil an automatic license plate scanner! • An attack which allows SQL to be executed as part of the input.
Web App Attacks • Bobby Tables!
Web App Attacks • XSS was used to get root on a apache.org server in April 2010 • A popular shopping website used to sell only books and now sell other stuff as well. • That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
Other Critical Flaws/Attacks • Cross Site Request Forgery o Attacks the user of the application • Clickjacking o Facebook Like attack • Security Mis-configurations o Default passwords in DSL routers • Insecure Cryptographic Storage o Apache Attack • Tiny URLs o Employees trust and click on anything!
Solutions/Mitigations • Training in Secure Coding for Developers • Code Reviews by competent security folks • Regular mining of web server logs • Application Security Practice • Awareness about new attacks • Setup a red team in the company
About null • Null – Indian Open Security Community null.co.in • Registered non-profit society • 5 active chapters in India • We conduct monthly meetings, regular awareness camps and trainings. • More than 1000+ security professionals and enthusiasts in the group. • Null Keeda Vulnerability Database http://keeda.nullcon.net
Akash Mahajan • Chapter Lead of null Bangalore • Web Security Consultant • I hack, test, secure web apps and servers • Help companies become secure on AWS cloud • Website: akashm.com • Email: akashmahajan@gmail.com / aka@null.co.in • Twitter: @makash • Linkedin: www.linkedin.com/in/akashm

Recomendados

Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Web security
Web security Web security
Web security Kaushal Bhavsar
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019Miguel Angel Falcón Muñoz
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API SecurityApigee | Google Cloud
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 

Recomendados

Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Web security
Web security Web security
Web security Kaushal Bhavsar
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019Miguel Angel Falcón Muñoz
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API SecurityApigee | Google Cloud
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Ammar Hasayen
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverIMMUNIO
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+dataAkash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan
 

Mais conteúdo relacionado

Mais procurados

Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Ammar Hasayen
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverIMMUNIO
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs42Crunch
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 

Mais procurados (20)

Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 

Destaque

The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+dataAkash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 

Destaque (7)

The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
Web application security
Web application securityWeb application security
Web application security
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 

Semelhante a Web application security

A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...Inspirisys Solutions Limited
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 

Semelhante a Web application security (20)

A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Web Security
Web SecurityWeb Security
Web Security
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 

Mais de Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionAkash Mahajan
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesAkash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 

Mais de Akash Mahajan (8)

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs Session
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
 
Php security
Php securityPhp security
Php security
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
Startups Security
Startups SecurityStartups Security
Startups Security
 

Último

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Último (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Web application security

  • 1. Web Application Security Firewalls will not be able to protect you Akash Mahajan – Chapter Lead for null Bangalore
  • 2. What should keep you up at night • 95% of attacks are against “Web Servers and Web Applications” aka Websites • The top 3 verticals compromised were Financial Services, Hospitality and Retail. • More than 60% of attacks were caused by external agents. • Primary attack vector was SQL Injection and was used to install customized malware. • Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
  • 3. Web App Attacks • SQL Injection Attacks • Number plate to foil an automatic license plate scanner! • An attack which allows SQL to be executed as part of the input.
  • 4. Web App Attacks • Bobby Tables!
  • 5. Web App Attacks • XSS was used to get root on a apache.org server in April 2010 • A popular shopping website used to sell only books and now sell other stuff as well. • That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
  • 6. Other Critical Flaws/Attacks • Cross Site Request Forgery o Attacks the user of the application • Clickjacking o Facebook Like attack • Security Mis-configurations o Default passwords in DSL routers • Insecure Cryptographic Storage o Apache Attack • Tiny URLs o Employees trust and click on anything!
  • 7. Solutions/Mitigations • Training in Secure Coding for Developers • Code Reviews by competent security folks • Regular mining of web server logs • Application Security Practice • Awareness about new attacks • Setup a red team in the company
  • 8. About null • Null – Indian Open Security Community null.co.in • Registered non-profit society • 5 active chapters in India • We conduct monthly meetings, regular awareness camps and trainings. • More than 1000+ security professionals and enthusiasts in the group. • Null Keeda Vulnerability Database http://keeda.nullcon.net
  • 9. Akash Mahajan • Chapter Lead of null Bangalore • Web Security Consultant • I hack, test, secure web apps and servers • Help companies become secure on AWS cloud • Website: akashm.com • Email: akashmahajan@gmail.com / aka@null.co.in • Twitter: @makash • Linkedin: www.linkedin.com/in/akashm