SlideShare uma empresa Scribd logo

Is the Web at Risk?

Carlos Serrao
Carlos Serrao

A very short presentation held at the WIP2 workshop in Lisbon. This presentation talks about the security trends on the new WWW.

Tecnologia
1 de 30
Baixar para ler offline
is the web @ risk ? World Internet Project Meeting 2010 ISCTE-IUL/SoTA/ADETTI-IUL Carlos Serrão Instituto Superior de Ciências do Trabalho e da Empresa carlos.serrao@iscte.pt Instituto Universitário de Lisboa carlos.j.serrao@gmail.com School of Technology and Architecture ADETTI-IUL http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao
Is the Web … … at risk? … a risk? … putting YOU at risk? WHY? HOW? WHEN?
The Internet… … and the WWW, in the beg inning .
in the beginning... Vinton Gray Cerf Robert Elliot Kahn … a.k.a. the “Internet fathers”
The Internet was created… … as an ubiquitous … decentralized … standardized … global … interconnected … digital … communications channel.
in the beginning... (Sir) Tim Berners Lee … a.k.a. the “WWW father”
The WWW was created! A system of interlinked hypertext documents accessed via the Internet. Infinite worldwide knowledge access.
growth
evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
security++   what do we have today?   anti-virus   anti-malware   anti-spyware   firewalls   intrusion detection systems   …   are they enough?
security++   YES, but…   dothey protect the user from the web applications?   cana Web application be compromised to hurt legitimate users?   sure it can.
security++   How?   Do you trust your favorite web-applications?   Google   Gmail   Doyou trust your favorite social-web applications?   Facebook   Twitter   Do you trust your homebanking?   Do you trust your government web-sites?
security++ The security perimeter has huge security holes in the application Application Layer layer Legacy Systems Human Resrcs Web Services Directories Custom Developed Databases Application Code Billing APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall
implications…
security trends problem types typical problems on web apps
the security risks http://www.owasp.org/index.php/Top_10
security risks   considering the three most important   A1: Injection   A2: Cross Site Scripting (XSS)   A5: Cross Site Request Forgery (CSRF)
A1: Injection what if?
A1: Injection what if? SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
A1: Injection what if?
any input from the web app user can be an attack vector
A2: Cross Site Scripting (XSS)   injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)
A2: Cross Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
A5: Cross Site Request Forgery (CSRF)   an attacker can build its own malicious website and initiate request on the user’s browser
A5: Cross Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce Accounts Finance While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request browser – sends GET from victim and request (including performs the action credentials) to requested vulnerable site
A5: Cross Site Request Forgery (CSRF) Alice transfer 100€ to Bob Bob through bank.com POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 realizes that the same bank.com web application can execute Pirate the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000 sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a> or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0"> Alice if Alice is authenticated at bank.com with an active session the transfer is performed
consequences This is serious!!! And we are just looking at the tip of the iceberg!
[quick] conclusions   Extra-care with the web applications you trust your data   Extra-care on the way you handle your email   Always act suspicious upon something “strange” on the web   WebApp developers take care on what you do – your code is part of the security perimeter

Recomendados

21 zen vol2_issue2_feb12
21 zen vol2_issue2_feb1221 zen vol2_issue2_feb12
21 zen vol2_issue2_feb12Dr. Geetha R
 
Web use and misuse
Web use and misuseWeb use and misuse
Web use and misusehernan2025
 
Evolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotEvolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotSymantec
 
Planning for Disruption
Planning for DisruptionPlanning for Disruption
Planning for DisruptionJay Collier
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Cloud email demystified
Cloud email demystifiedCloud email demystified
Cloud email demystifiedPSD Solutions .....
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 
Using Social Software to Market yourself - inside and outside the firewall
Using Social Software to Market yourself - inside and outside the firewallUsing Social Software to Market yourself - inside and outside the firewall
Using Social Software to Market yourself - inside and outside the firewallIan McNairn
 

Recomendados

21 zen vol2_issue2_feb12
21 zen vol2_issue2_feb1221 zen vol2_issue2_feb12
21 zen vol2_issue2_feb12Dr. Geetha R
 
Web use and misuse
Web use and misuseWeb use and misuse
Web use and misusehernan2025
 
Evolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotEvolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotSymantec
 
Planning for Disruption
Planning for DisruptionPlanning for Disruption
Planning for DisruptionJay Collier
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Cloud email demystified
Cloud email demystifiedCloud email demystified
Cloud email demystifiedPSD Solutions .....
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 
Using Social Software to Market yourself - inside and outside the firewall
Using Social Software to Market yourself - inside and outside the firewallUsing Social Software to Market yourself - inside and outside the firewall
Using Social Software to Market yourself - inside and outside the firewallIan McNairn
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Eoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,WorkstationsEoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,Workstationseoptionsonline
 
Risk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsRisk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsPaxcel Technologies
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Risico's Web 2.0
Risico's Web 2.0Risico's Web 2.0
Risico's Web 2.0hnzz pronk
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overviewMarusya Maruzhenko
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architectureÉric Grall
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeTUESDAY Business Network
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Cloud native computing
Cloud native computingCloud native computing
Cloud native computingAnsar Gill
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Vikas Gupta
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Modern Web Development (2018)
Modern Web Development (2018)Modern Web Development (2018)
Modern Web Development (2018)Randy Connolly
 
Intro to web dev
Intro to web devIntro to web dev
Intro to web devHridyesh Bisht
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 

Mais conteúdo relacionado

Destaque

Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Eoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,WorkstationsEoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,Workstationseoptionsonline
 
Risk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsRisk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsPaxcel Technologies
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 

Destaque (7)

Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Eoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,WorkstationsEoptionsonline-HP Proliant Servers,Workstations
Eoptionsonline-HP Proliant Servers,Workstations
 
Risk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based ApplicationsRisk Oriented Testing of Web-Based Applications
Risk Oriented Testing of Web-Based Applications
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 

Semelhante a Is the Web at Risk?

Risico's Web 2.0
Risico's Web 2.0Risico's Web 2.0
Risico's Web 2.0hnzz pronk
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architectureÉric Grall
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Cloud native computing
Cloud native computingCloud native computing
Cloud native computingAnsar Gill
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Vikas Gupta
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Modern Web Development (2018)
Modern Web Development (2018)Modern Web Development (2018)
Modern Web Development (2018)Randy Connolly
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Development Model for The Cloud
Development Model for The CloudDevelopment Model for The Cloud
Development Model for The Cloudumityalcinalp
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Dont Let Inefficient Data Access Undermine Your Virtualization Goals
Dont Let Inefficient Data Access Undermine Your Virtualization GoalsDont Let Inefficient Data Access Undermine Your Virtualization Goals
Dont Let Inefficient Data Access Undermine Your Virtualization GoalsHammurobbie
 

Semelhante a Is the Web at Risk? (20)

Risico's Web 2.0
Risico's Web 2.0Risico's Web 2.0
Risico's Web 2.0
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architecture
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
 
Cloud native computing
Cloud native computingCloud native computing
Cloud native computing
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Modern Web Development (2018)
Modern Web Development (2018)Modern Web Development (2018)
Modern Web Development (2018)
 
Intro to web dev
Intro to web devIntro to web dev
Intro to web dev
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Development Model for The Cloud
Development Model for The CloudDevelopment Model for The Cloud
Development Model for The Cloud
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Dont Let Inefficient Data Access Undermine Your Virtualization Goals
Dont Let Inefficient Data Access Undermine Your Virtualization GoalsDont Let Inefficient Data Access Undermine Your Virtualization Goals
Dont Let Inefficient Data Access Undermine Your Virtualization Goals
 

Mais de Carlos Serrao

Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"Carlos Serrao
 
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...Carlos Serrao
 
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]Carlos Serrao
 
A OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a WebA OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a WebCarlos Serrao
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisCarlos Serrao
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisCarlos Serrao
 
OWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a WebOWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a WebCarlos Serrao
 
Principios básicos de segurança on-line
Principios básicos de segurança on-linePrincipios básicos de segurança on-line
Principios básicos de segurança on-lineCarlos Serrao
 
To DRM or not to DRM?
To DRM or not to DRM?To DRM or not to DRM?
To DRM or not to DRM?Carlos Serrao
 
OWASP presentation on FISTA2011
OWASP presentation on FISTA2011OWASP presentation on FISTA2011
OWASP presentation on FISTA2011Carlos Serrao
 
Análise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web NacionalAnálise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web NacionalCarlos Serrao
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisCarlos Serrao
 
OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.Carlos Serrao
 
Owasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidadesOwasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidadesCarlos Serrao
 
OWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHPOWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHPCarlos Serrao
 
OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010Carlos Serrao
 
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)Carlos Serrao
 
OWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHPOWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHPCarlos Serrao
 
OWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP PortugalOWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP PortugalCarlos Serrao
 

Mais de Carlos Serrao (20)

Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
Prevenir o "ransomware" - Guia da OWASP para prevenção do "ransomware"
 
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
OWASP Mobile Top 10 - Principais Riscos no Desenvolvimento Seguro de Aplicaçõ...
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
Vamos tirar uma selfie? [... como a privacidade morreu e ninguém nos avisou]
 
A OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a WebA OWASP e a Segurança Aplicacional para a Web
A OWASP e a Segurança Aplicacional para a Web
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes Sociais
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes Sociais
 
OWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a WebOWASP e o desenvolvimento seguro de aplicações para a Web
OWASP e o desenvolvimento seguro de aplicações para a Web
 
Principios básicos de segurança on-line
Principios básicos de segurança on-linePrincipios básicos de segurança on-line
Principios básicos de segurança on-line
 
To DRM or not to DRM?
To DRM or not to DRM?To DRM or not to DRM?
To DRM or not to DRM?
 
OWASP presentation on FISTA2011
OWASP presentation on FISTA2011OWASP presentation on FISTA2011
OWASP presentation on FISTA2011
 
Análise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web NacionalAnálise de Vulnerabilidades em Aplicações na Web Nacional
Análise de Vulnerabilidades em Aplicações na Web Nacional
 
Segurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes SociaisSegurança e Privacidade em Redes Sociais
Segurança e Privacidade em Redes Sociais
 
OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.OWASP, PT.OWASP, IBWAS'10 & Cia.
OWASP, PT.OWASP, IBWAS'10 & Cia.
 
Owasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidadesOwasp@iscte iul ferramentas-analise_vulnerabilidades
Owasp@iscte iul ferramentas-analise_vulnerabilidades
 
OWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHPOWASP@ ISCTE-IUL, Segurança em PHP
OWASP@ ISCTE-IUL, Segurança em PHP
 
OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010OWASP @ ISCTE-IUL, OWASP Top 10 2010
OWASP @ ISCTE-IUL, OWASP Top 10 2010
 
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
OWASP @ ISCTE-IUL - OWASP Top 10 (v2010)
 
OWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHPOWASP @ ISCTE-IUL, Criptografia em PHP
OWASP @ ISCTE-IUL, Criptografia em PHP
 
OWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP PortugalOWASP @ ISCTE-IUL, OWASP e OWASP Portugal
OWASP @ ISCTE-IUL, OWASP e OWASP Portugal
 

Último

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Is the Web at Risk?

  • 1. is the web @ risk ? World Internet Project Meeting 2010 ISCTE-IUL/SoTA/ADETTI-IUL Carlos Serrão Instituto Superior de Ciências do Trabalho e da Empresa carlos.serrao@iscte.pt Instituto Universitário de Lisboa carlos.j.serrao@gmail.com School of Technology and Architecture ADETTI-IUL http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao
  • 2. Is the Web … … at risk? … a risk? … putting YOU at risk? WHY? HOW? WHEN?
  • 3. The Internet… … and the WWW, in the beg inning .
  • 4. in the beginning... Vinton Gray Cerf Robert Elliot Kahn … a.k.a. the “Internet fathers”
  • 5. The Internet was created… … as an ubiquitous … decentralized … standardized … global … interconnected … digital … communications channel.
  • 6. in the beginning... (Sir) Tim Berners Lee … a.k.a. the “WWW father”
  • 7. The WWW was created! A system of interlinked hypertext documents accessed via the Internet. Infinite worldwide knowledge access.
  • 9. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 10. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 11. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 12. security++   what do we have today?   anti-virus   anti-malware   anti-spyware   firewalls   intrusion detection systems   …   are they enough?
  • 13. security++   YES, but…   dothey protect the user from the web applications?   cana Web application be compromised to hurt legitimate users?   sure it can.
  • 14. security++   How?   Do you trust your favorite web-applications?   Google   Gmail   Doyou trust your favorite social-web applications?   Facebook   Twitter   Do you trust your homebanking?   Do you trust your government web-sites?
  • 15. security++ The security perimeter has huge security holes in the application Application Layer layer Legacy Systems Human Resrcs Web Services Directories Custom Developed Databases Application Code Billing APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall
  • 17. security trends problem types typical problems on web apps
  • 18. the security risks http://www.owasp.org/index.php/Top_10
  • 19. security risks   considering the three most important   A1: Injection   A2: Cross Site Scripting (XSS)   A5: Cross Site Request Forgery (CSRF)
  • 20. A1: Injection what if?
  • 21. A1: Injection what if? SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
  • 22. A1: Injection what if?
  • 23. any input from the web app user can be an attack vector
  • 24. A2: Cross Site Scripting (XSS)   injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)
  • 25. A2: Cross Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
  • 26. A5: Cross Site Request Forgery (CSRF)   an attacker can build its own malicious website and initiate request on the user’s browser
  • 27. A5: Cross Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce Accounts Finance While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request browser – sends GET from victim and request (including performs the action credentials) to requested vulnerable site
  • 28. A5: Cross Site Request Forgery (CSRF) Alice transfer 100€ to Bob Bob through bank.com POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 realizes that the same bank.com web application can execute Pirate the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000 sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a> or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0"> Alice if Alice is authenticated at bank.com with an active session the transfer is performed
  • 29. consequences This is serious!!! And we are just looking at the tip of the iceberg!
  • 30. [quick] conclusions   Extra-care with the web applications you trust your data   Extra-care on the way you handle your email   Always act suspicious upon something “strange” on the web   WebApp developers take care on what you do – your code is part of the security perimeter