SlideShare uma empresa Scribd logo

Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013

Transferir como PPTX, PDF
Lostar
Lostar
Tecnologia
1 de 26
The “Top 10” Web Application Security Risks Murat Lostar
Why Web Application Security? • Mid – late 90s. • Early – 2000s. • Today • Tomorrow - Cloud, M2M • Always - People
OWASP – Top10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Functional Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards
1. Injection • Application sends untrusted data to an interpreter • Types: SQL, LDAP, Xpath, NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc.
Injection Example • If exist (Select * from users where id= ‘@Name’ and pw= ‘@Pass’;) then logon successful
Injection Example • Username: admin • Password: ‘ or 1=1 -- • If exist (Select * from users where id= ‘admin‘ and pw= ‘‘ or 1=1 --’;) • Logon successful
Free Injection Scanner (example) • http://www.mavitunasecurity.com/community edition/
2. Broken Authentication and Session Management Reinventing the wheel… … not quite.
Example: Session Fixation
3. Cross-Site Scripting (XSS) • Using the vulnerable web site to attack another user (victim)
Different XSS Types XSS Persistent Stored Distributed Non- Persistent Reflected DOM- Based Combined
4. Insecure Direct Object References • User logs into the application • Can see own account information http://example.com/app/accountInfo?acct=MyAcctNumber • Is it possible to get other account infos? http://example.com/app/accountInfo?acct=NotMyAcctNumber
5. Security Misconfiguration
Questions to ask • Software out of date? (OS, Web/App Server, DBMS, applications, and all code libraries) • Unnecessary features enabled or installed? (ports, services, pages, accounts, privileges, …) • Default accounts and their passwords still the same? • Default error messages? • Insecure development frameworks settings?
6. Sensitive Data Exposure • Data stored in clear text long term, including backups • Data transmitted in clear text, internally or externally • Old / weak cryptographic algorithms • Weak crypto keys generated / No proper key management
Test yourself • HTTPS/SSL: http://www.ssllabs.com/ssltest/ • EMAIL/TLS: http://www.checktls.com
7. Missing Functional Level Access Control • Using the URL independent of logon process without authorization
8. Cross-Site Request Forgery (CSRF) • Money transfer app for the bank: – GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 • Preparing false URL: – http://bank.com/transfer.do?acct=MARIA&amount=100000 • Trick the user to send this URL: – <a href="http://bank.com/transfer.do?acct=MARIA&amount=10000 0">View my Pictures!</a> – <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000 " width="1" height="1" border="0">
CSRF Testing www.owasp.org/index.ph p/CSRFTester
9. Using Known Vulnerable Components • Using old, unpatched components within applications • Most difficult to discover • Requires detailed inventory of components to mitigate
10. Unvalidated Redirects and Forwards • http://www.example.com/redirect.jsp?url =evil.com • http://www.example.com/boring.jsp?fwd= admin.jsp • Check for spider 300-307 (302) responses
How to prevent/solve these? - %80 - %20 rule
Input validation • White-listing (BEST) • Black-listing • Sanitizing • Data type • Data format • Data lenght
Use strong authentication • Something you know – Passwords, PINS, etc • Something you have – Mobile phones (SMS), bank cards, OTP, etc • Something you are – Fingerprint, retina, voice, etc
Last words • Web application security requires – Secure software lifecycle • Risk management • Security KPIs • Code security review (automated & automatic) – Continuous monitoring and pen testing – Management commitment
Thank you. • Murat Lostar – Linkedin.com/in/lostar – www.lostar.com – Refs: OWASP, CERT, WIKIPEDIA, ISACA

Recomendados

OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 

Recomendados

OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzingBlueinfy Solutions
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 

Mais conteúdo relacionado

Mais procurados

Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Vasan Ramadoss
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 

Mais procurados (20)

Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
 

Semelhante a Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 

Semelhante a Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 (20)

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Web Security
Web SecurityWeb Security
Web Security
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 

Mais de Lostar

VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarVERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarLostar
 
KVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuKVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuLostar
 
DDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıDDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıLostar
 
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Lostar
 
Endüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiEndüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiLostar
 
IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017Lostar
 
Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Lostar
 
Wannacry.Lostar
Wannacry.LostarWannacry.Lostar
Wannacry.LostarLostar
 
BLOCKCHAIN
BLOCKCHAINBLOCKCHAIN
BLOCKCHAINLostar
 
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerDijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerLostar
 
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuKişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuLostar
 
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiHerşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiLostar
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarBulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarLostar
 
Lostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar
 
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Lostar
 
Tedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıTedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıLostar
 
Tedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerTedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerLostar
 
Yeni TTK Guvenlik
Yeni TTK GuvenlikYeni TTK Guvenlik
Yeni TTK GuvenlikLostar
 
Risk IT
Risk ITRisk IT
Risk ITLostar
 

Mais de Lostar (20)

VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - LostarVERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
 
KVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT UyumuKVKK ve GDPR'a BT Uyumu
KVKK ve GDPR'a BT Uyumu
 
DDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme SaldırılarıDDoS - Dağıtık Hizmet Engelleme Saldırıları
DDoS - Dağıtık Hizmet Engelleme Saldırıları
 
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?Bulut & Güvenlik - Güvence Nasıl Sağlanır?
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
 
Endüstri 4.0 Güvenliği
Endüstri 4.0 GüvenliğiEndüstri 4.0 Güvenliği
Endüstri 4.0 Güvenliği
 
IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017IoT ve Güvenlik Ekim2017
IoT ve Güvenlik Ekim2017
 
Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0Endüstri 4.0 / Güvenlik 4.0
Endüstri 4.0 / Güvenlik 4.0
 
Wannacry.Lostar
Wannacry.LostarWannacry.Lostar
Wannacry.Lostar
 
BLOCKCHAIN
BLOCKCHAINBLOCKCHAIN
BLOCKCHAIN
 
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemlerDijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
 
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT UyumuKişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
 
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku ZirvesiHerşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
 
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - LostarBulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
 
Lostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 GuvenlikLostar Microsoft Zirve 2007 Guvenlik
Lostar Microsoft Zirve 2007 Guvenlik
 
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
 
Tedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol HaritasıTedarikçi Güvenliği için Yol Haritası
Tedarikçi Güvenliği için Yol Haritası
 
Tedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve RisklerTedarikçi Kullanımı ve Riskler
Tedarikçi Kullanımı ve Riskler
 
Yeni TTK Guvenlik
Yeni TTK GuvenlikYeni TTK Guvenlik
Yeni TTK Guvenlik
 
Risk IT
Risk ITRisk IT
Risk IT
 

Último

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Último (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013

  • 1. The “Top 10” Web Application Security Risks Murat Lostar
  • 2. Why Web Application Security? • Mid – late 90s. • Early – 2000s. • Today • Tomorrow - Cloud, M2M • Always - People
  • 3. OWASP – Top10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Functional Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards
  • 4. 1. Injection • Application sends untrusted data to an interpreter • Types: SQL, LDAP, Xpath, NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc.
  • 5. Injection Example • If exist (Select * from users where id= ‘@Name’ and pw= ‘@Pass’;) then logon successful
  • 6. Injection Example • Username: admin • Password: ‘ or 1=1 -- • If exist (Select * from users where id= ‘admin‘ and pw= ‘‘ or 1=1 --’;) • Logon successful
  • 7. Free Injection Scanner (example) • http://www.mavitunasecurity.com/community edition/
  • 8. 2. Broken Authentication and Session Management Reinventing the wheel… … not quite.
  • 10. 3. Cross-Site Scripting (XSS) • Using the vulnerable web site to attack another user (victim)
  • 11. Different XSS Types XSS Persistent Stored Distributed Non- Persistent Reflected DOM- Based Combined
  • 12. 4. Insecure Direct Object References • User logs into the application • Can see own account information http://example.com/app/accountInfo?acct=MyAcctNumber • Is it possible to get other account infos? http://example.com/app/accountInfo?acct=NotMyAcctNumber
  • 14. Questions to ask • Software out of date? (OS, Web/App Server, DBMS, applications, and all code libraries) • Unnecessary features enabled or installed? (ports, services, pages, accounts, privileges, …) • Default accounts and their passwords still the same? • Default error messages? • Insecure development frameworks settings?
  • 15. 6. Sensitive Data Exposure • Data stored in clear text long term, including backups • Data transmitted in clear text, internally or externally • Old / weak cryptographic algorithms • Weak crypto keys generated / No proper key management
  • 17. 7. Missing Functional Level Access Control • Using the URL independent of logon process without authorization
  • 18. 8. Cross-Site Request Forgery (CSRF) • Money transfer app for the bank: – GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 • Preparing false URL: – http://bank.com/transfer.do?acct=MARIA&amount=100000 • Trick the user to send this URL: – <a href="http://bank.com/transfer.do?acct=MARIA&amount=10000 0">View my Pictures!</a> – <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000 " width="1" height="1" border="0">
  • 20. 9. Using Known Vulnerable Components • Using old, unpatched components within applications • Most difficult to discover • Requires detailed inventory of components to mitigate
  • 21. 10. Unvalidated Redirects and Forwards • http://www.example.com/redirect.jsp?url =evil.com • http://www.example.com/boring.jsp?fwd= admin.jsp • Check for spider 300-307 (302) responses
  • 22. How to prevent/solve these? - %80 - %20 rule
  • 23. Input validation • White-listing (BEST) • Black-listing • Sanitizing • Data type • Data format • Data lenght
  • 24. Use strong authentication • Something you know – Passwords, PINS, etc • Something you have – Mobile phones (SMS), bank cards, OTP, etc • Something you are – Fingerprint, retina, voice, etc
  • 25. Last words • Web application security requires – Secure software lifecycle • Risk management • Security KPIs • Code security review (automated & automatic) – Continuous monitoring and pen testing – Management commitment
  • 26. Thank you. • Murat Lostar – Linkedin.com/in/lostar – www.lostar.com – Refs: OWASP, CERT, WIKIPEDIA, ISACA

Notas do Editor

  1. The “Top 10” Web Application Security Risks Speaker Murat LostarCEOLostar Information SecurityAfter completing this session, you will be able to:• Recognize the Top 10 Web Application Security Risks along with the vulnerabilities that cause them• Use open source tools to identify if these risks are present in your enterprise• Participate in detailed risk mitigation examplesdrawn from banking, telecommunications, online retail and transportation• Evaluate and effectively utilize web development tools for security testing• Utilize proven methodologies and approaches to mitigate these risks in your organisation