Unraveling Multimodality with Large Language Models.pdf
Web application security
1. Web Application
Security
Firewalls will not be able to protect you
Akash Mahajan – Chapter Lead for null Bangalore
2. What should keep you up
at night
• 95% of attacks are against “Web Servers and Web
Applications” aka Websites
• The top 3 verticals compromised were Financial
Services, Hospitality and Retail.
• More than 60% of attacks were caused by external
agents.
• Primary attack vector was SQL Injection and was
used to install customized malware.
• Injection Attacks are #1 critical flaw in applications
Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
3. Web App Attacks
• SQL Injection Attacks
• Number plate to foil an automatic license plate
scanner!
• An attack which allows SQL to be executed as part
of the input.
5. Web App Attacks
• XSS was used to get root on a apache.org server in April
2010
• A popular shopping
website used to sell
only books and now
sell other stuff as well.
• That inner window is
an iframe injected in
a simple search
request.
Picture courtesy null Keeda Vulnerability Database
6. Other Critical Flaws/Attacks
• Cross Site Request Forgery
o Attacks the user of the application
• Clickjacking
o Facebook Like attack
• Security Mis-configurations
o Default passwords in DSL routers
• Insecure Cryptographic Storage
o Apache Attack
• Tiny URLs
o Employees trust and click on anything!
7. Solutions/Mitigations
• Training in Secure Coding for Developers
• Code Reviews by competent security folks
• Regular mining of web server logs
• Application Security Practice
• Awareness about new attacks
• Setup a red team in the company
8. About null
• Null – Indian Open Security Community null.co.in
• Registered non-profit society
• 5 active chapters in India
• We conduct monthly meetings, regular awareness
camps and trainings.
• More than 1000+ security professionals and
enthusiasts in the group.
• Null Keeda Vulnerability Database
http://keeda.nullcon.net
9. Akash Mahajan
• Chapter Lead of null Bangalore
• Web Security Consultant
• I hack, test, secure web apps and servers
• Help companies become secure on AWS cloud
• Website: akashm.com
• Email: akashmahajan@gmail.com / aka@null.co.in
• Twitter: @makash
• Linkedin: www.linkedin.com/in/akashm