SlideShare uma empresa Scribd logo

Problems with parameters b sides-msp

Mike Saunders
Mike Saunders

Problems With Parameters - A high-level overview of common vulnerabilities identified in web applications, techniques to mitigate these vulnerabilities, and thoughts on incorporating secure webapp development practices into your organization's development culture.

Tecnologia
1 de 39
Baixar para ler offline
Mike Saunders Principal—Hardwater Information Security
 In IT for about 20 years, full-time for 16  *NIX/Windows/Net admin, security engineer, architect, and developer in previous life  Currently performing pen tests full time  CISSP, GWAPT, GPEN, GCIH 2
 Seeing the same issues over and over in internally developed, outsourced dev, business partner/vendor and big software vendor apps  Some success with internal teams in improving app security 3
 The Web is a target-rich environment ◦ “[N]early half of all reported vulnerabilities exist in Web applications” (TippingPoint DVLabs, 2010) 4
 In the past, perimeters were porous at best  Hardened perimeters today ◦ Firewalls are better controlled now ◦ Better patching programs ◦ Better server hardening (STIGS, CIS, etc.) 5
 We open the door to web apps to enable business! 6 http://www.pressofatlanticcity.com
 52% of all breaches were the result of hacking ◦ 22% of all hacking attacks were against web apps (Verizon, 2012)  65% of organizations surveyed experienced SQLi attack in the past 12 months (Ponemon, 2014)  SQL Injection and Cross-Site Scripting (XSS) are the most common attacks 7
 Web apps receive input through parameters  Malicious input can result in server-side injection attacks (SQLi, command injection, Xpath injection, ...) or client-side attacks (XSS, CSRF, ...) 8
 2011 SANS/MITRE Top 25 ◦ Three of top four are injection vulnerabilities 1) SQLi 2) Command Injection 4) XSS 12) CSRF—leverages XSS http://www.sans.org/top25-software-errors/ 9
 Occurs when a web app uses input from a user within the output it generates, without validating or encoding it (OWASP)  Client browser interprets server response as a script instead of rendering ◦ Reflected XSS through a malicious URL ◦ Persistent XSS—forum post or profile; injected into content database ◦ DOM-based 10
 Javascript, VBScript, Silverlight  “Deface” websites  Steal session cookies  Install keyloggers/trojans/malware  Take screenshots  Exfiltrate data  CSRF  SHELLS! 11
12 Vulnerable Parameter: trkid Attack string: <script>alert(document.cookie)</script> Vulnerability was responsibly disclosed to Netflix and has been remediated.
 Attacker sends input which is interpreted as a DB command 13
 SHELLS!  Stored XSS to attack site visitors  Steal database contents ◦ Usernames and passwords ◦ Account info ◦ CC#  Alter/delete DB contents 14
 Time-based blind SQLi = database dumped! 15
 Attacker input results in execution of commands in web server OS  Input is included as part of shell command executed by web app 16
 SHELLS!  Install backdoors  Exfiltrate data  Pivot to other systems 17
 Command injection: `ping –c 20 127.0.0.1` ◦ Input passed to external program, interpreted as shell command ◦ Additional command injection mails password file to attacker 18
 80% of web apps vulnerable to XSS  More than 45,000 reported XSS @ xssed.com  26% of 2013 breaches caused by SQLi (Trustwave, 2013) 19
 2014—Tweetdeck retweet XSS ◦ More than 38,000 retweets in an hour  Hold Security announces 1.2 billion records stolen from 420,000 sites via SQLi (Hold Security, 2014) 20
“If builders built buildings the way programmers built programs, the first woodpecker to come along would destroy civilization.” - Gerald Weinberg 21
22 http://www.panoramio.com/photo/10984427
23 http://www.pinterest.com/pin/345299496399829978/
 Don’t bolt on security as an afterthought  Integrate security into development process  Repairs = much higher costs  15× more expensive to repair at testing phase  Up to 100× more expensive after deployment (Jones, 1996) 24
(IDC, 2011) 25
 Peer code reviews  Involve developers in testing code before release ◦ OWASP Testing Guide ◦ OWASP XSS Filter Evasion Cheat Sheet ◦ Testing for SQL Injection (OWASP-DV-005) ◦ Code analysis tools 26
 Use available tools to your advantage ◦ BurpPro—Almost free ◦ OWASP ZAP Proxy ◦ OWASP Xenotix ◦ SoapUI test suite ◦ SANS SWAT Checklist 27
28 http://i9.photobucket.com/albums/a81/kos102/2009/Other/tin-foil-cat.jpg
http://demonarex.files.wordpress.com/2011/03/house-everybody-lies2.jpg 29
 Never trust input from client! ◦ Even if it’s provided automatically by browser  Validation is key ◦ Whitelist – define what’s good, drop everything else  Ex: SSN / Phone / CC# should only be digits  See OWASP XSS & SQLi Prevention Cheat Sheets  Always validate server-side ◦ Client side is easily bypassed 30
 Escape untrusted input ◦ If you must accept untrusted input, make sure you render it inert by escaping ( ‘ -> ‘ )  Encode untrusted input before returning to client ◦ <script>alert(1)</script> becomes &lt;script&gt;alert(1)&lt;/script&gt; 31
 Set cookies using HttpOnly  Content-Security-Policy header ◦ https://www.owasp.org/index.php/Content_Securit y_Policy 32
 Again, never trust input from client, always validate  Always escape or encode dangerous characters if required to process “ - ‘ -- ; ”  Use prepared statements whenever possible  Escape everything!  OWASP SQLi Prevention Cheat Sheet 33
 .NET platform ◦ Microsoft Anti-Cross Site Scripting Library  ASP.NET Framework ◦ ValidateRequest()  Java ◦ OWASP ESAPI ◦ OWASP Java Encoder Project  OWASP Encoding Project ◦ Multi-platform: Java, .NET, PHP, Perl, Python, Javascript, ASP, Ruby 34
 Secure AppDev starts before code is written  Grow secure developers—peer reviews, cross-training, mentoring  Be Paranoid! Never trust input ◦ Validate, escape, encode  Use available security resources (OWASP, SANS, etc.) 35
 SANS Securing Web Application Technologies Checklist ◦ http://www.securingthehuman.org/developer/swat  SANS/MITRE Top 25 Software Errors ◦ http://www.sans.org/top25-software-errors/  OWASP XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_ Cheat_Sheet  OWASP DOM-based XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sh eet  OWASP SQLi Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet  OWASP XSS Filter Evasion Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet  OWASP Cheat Sheets ◦ https://www.owasp.org/index.php/Cheat_Sheets 36
 Google Application Security Library – XSS ◦ http://www.google.com/about/appsecurity/learning/xss/  Testing for SQL Injection (OWASP-DV-005) ◦ https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)  Microsoft Anti-Cross Site Scripting Library ◦ http://wpl.codeplex.com/  OWASP Enterprise Security API ◦ https://www.owasp.org/index.php/ESAPI  OWASP Encoding Project ◦ https://www.owasp.org/index.php/Category:OWASP_Encoding_Project  Ruby on Rails Security Basics ◦ https://www.netsparker.com/blog/web-security/ruby-on-rails-security-basics/  Developing Secure Web Application – Cross-Site Scripting ◦ http://www.slideshare.net/codecampiasi/developing-secure-web-application- crosssite-scripting-xss  XSSing Your Way to Shell ◦ https://speakerdeck.com/varbaek/xssing-your-way-to-shell 37
 Greenberg, A. (2013, July 31). SQL injection attacks still enable breaches, all these years later. SCMagazine. Retrieved from http://www.scmagazine.com/sql-injection-attacks-still-enable-breaches-all-these-years- later/article/305433/  Hold Security (2014, August 5). You Have Been Hacked Retrieved from http://www.holdsecurity.com/news/cybervor-breach/  IDC. (2011). The Case for Building in Web Application Security from the Start. [White paper]. Retrieved from http://resources.idgenterprise.com/original/AST- 0048510_The_case_for_building_in_web_application_security_from_the_start.PDF  Jones, C. (1996). Applied Software Measurement: Assuring Productivity and Quality. Mcgraw-Hill  Ponemon Institute. (2014) The SQL Injection Threat Study. Retrieved from: http://www.dbnetworks.com/contact/PonemonSQLInjectionThreatSurveyDownload.htm  TippingPoint DVLabs. (2011) 2010 Full Year Top Cyber Security Risks Report. Retrieved from http://dvlabs.tippingpoint.com/img/FullYear2010%20Risk%20Report.pdf  Trustwave. (2013) 2013 Global Security Report. Retrieved from http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf  Verizon. (2013) 2012 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012- ebk_en_xg.pdf 38
 msaunders.sec@gmail.com  @hardwaterhacker  Blog: http://hardwatersec.blogspot.com/ 39

Recomendados

[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal oreAlexander Leonov
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 

Recomendados

[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal oreAlexander Leonov
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)Martin Cabrera
 

Mais conteúdo relacionado

Mais procurados

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 

Mais procurados (20)

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 

Destaque

Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)Martin Cabrera
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiowaspindy
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Mostafa Hashkil
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksMostafa Hashkil
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntro C# Book
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Nicole Cordes
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersDavide Ciambelli
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Noé Fernández-Pozo
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetMarkus Tacker
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet360i
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat SheetGlowTouch
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03JABVAB
 

Destaque (20)

Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)Network DDoS Incident Response Cheat Sheet (by SANS)
Network DDoS Incident Response Cheat Sheet (by SANS)
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasks
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for Beginners
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheet
 
Rework cheat sheet
Rework cheat sheetRework cheat sheet
Rework cheat sheet
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat Sheet
 
Scrum Cheat Sheet
Scrum Cheat SheetScrum Cheat Sheet
Scrum Cheat Sheet
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03
 
Composting
CompostingComposting
Composting
 

Semelhante a Problems with parameters b sides-msp

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap itvodqancr
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 

Semelhante a Problems with parameters b sides-msp (20)

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap it
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 

Mais de Mike Saunders

I Want My EIP - Buffer Overflow 101
I Want My EIP - Buffer Overflow 101I Want My EIP - Buffer Overflow 101
I Want My EIP - Buffer Overflow 101Mike Saunders
 
BSidesMSP 2017 - SDR101 workshop
BSidesMSP 2017 - SDR101 workshopBSidesMSP 2017 - SDR101 workshop
BSidesMSP 2017 - SDR101 workshopMike Saunders
 
SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017Mike Saunders
 
SDR101-presentation-distro
SDR101-presentation-distroSDR101-presentation-distro
SDR101-presentation-distroMike Saunders
 
InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITSMike Saunders
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
DetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksDetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksMike Saunders
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?Mike Saunders
 
Is Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationIs Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationMike Saunders
 
You will be breached
You will be breachedYou will be breached
You will be breachedMike Saunders
 

Mais de Mike Saunders (12)

I Want My EIP - Buffer Overflow 101
I Want My EIP - Buffer Overflow 101I Want My EIP - Buffer Overflow 101
I Want My EIP - Buffer Overflow 101
 
BSidesMSP 2017 - SDR101 workshop
BSidesMSP 2017 - SDR101 workshopBSidesMSP 2017 - SDR101 workshop
BSidesMSP 2017 - SDR101 workshop
 
SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017SDR 101 - NDSU CyberSecurity 2017
SDR 101 - NDSU CyberSecurity 2017
 
SDR101-presentation-distro
SDR101-presentation-distroSDR101-presentation-distro
SDR101-presentation-distro
 
InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITS
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
DetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksDetectingSpearPhishingAttacks
DetectingSpearPhishingAttacks
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?Is Your Data Literally Walking Out the Door?
Is Your Data Literally Walking Out the Door?
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distribution
 
Is Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentationIs Your Data Literally Walking Out the Door-presentation
Is Your Data Literally Walking Out the Door-presentation
 
You will be breached
You will be breachedYou will be breached
You will be breached
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Problems with parameters b sides-msp

  • 2.  In IT for about 20 years, full-time for 16  *NIX/Windows/Net admin, security engineer, architect, and developer in previous life  Currently performing pen tests full time  CISSP, GWAPT, GPEN, GCIH 2
  • 3.  Seeing the same issues over and over in internally developed, outsourced dev, business partner/vendor and big software vendor apps  Some success with internal teams in improving app security 3
  • 4.  The Web is a target-rich environment ◦ “[N]early half of all reported vulnerabilities exist in Web applications” (TippingPoint DVLabs, 2010) 4
  • 5.  In the past, perimeters were porous at best  Hardened perimeters today ◦ Firewalls are better controlled now ◦ Better patching programs ◦ Better server hardening (STIGS, CIS, etc.) 5
  • 6.  We open the door to web apps to enable business! 6 http://www.pressofatlanticcity.com
  • 7.  52% of all breaches were the result of hacking ◦ 22% of all hacking attacks were against web apps (Verizon, 2012)  65% of organizations surveyed experienced SQLi attack in the past 12 months (Ponemon, 2014)  SQL Injection and Cross-Site Scripting (XSS) are the most common attacks 7
  • 8.  Web apps receive input through parameters  Malicious input can result in server-side injection attacks (SQLi, command injection, Xpath injection, ...) or client-side attacks (XSS, CSRF, ...) 8
  • 9.  2011 SANS/MITRE Top 25 ◦ Three of top four are injection vulnerabilities 1) SQLi 2) Command Injection 4) XSS 12) CSRF—leverages XSS http://www.sans.org/top25-software-errors/ 9
  • 10.  Occurs when a web app uses input from a user within the output it generates, without validating or encoding it (OWASP)  Client browser interprets server response as a script instead of rendering ◦ Reflected XSS through a malicious URL ◦ Persistent XSS—forum post or profile; injected into content database ◦ DOM-based 10
  • 11.  Javascript, VBScript, Silverlight  “Deface” websites  Steal session cookies  Install keyloggers/trojans/malware  Take screenshots  Exfiltrate data  CSRF  SHELLS! 11
  • 12. 12 Vulnerable Parameter: trkid Attack string: <script>alert(document.cookie)</script> Vulnerability was responsibly disclosed to Netflix and has been remediated.
  • 13.  Attacker sends input which is interpreted as a DB command 13
  • 14.  SHELLS!  Stored XSS to attack site visitors  Steal database contents ◦ Usernames and passwords ◦ Account info ◦ CC#  Alter/delete DB contents 14
  • 15.  Time-based blind SQLi = database dumped! 15
  • 16.  Attacker input results in execution of commands in web server OS  Input is included as part of shell command executed by web app 16
  • 17.  SHELLS!  Install backdoors  Exfiltrate data  Pivot to other systems 17
  • 18.  Command injection: `ping –c 20 127.0.0.1` ◦ Input passed to external program, interpreted as shell command ◦ Additional command injection mails password file to attacker 18
  • 19.  80% of web apps vulnerable to XSS  More than 45,000 reported XSS @ xssed.com  26% of 2013 breaches caused by SQLi (Trustwave, 2013) 19
  • 20.  2014—Tweetdeck retweet XSS ◦ More than 38,000 retweets in an hour  Hold Security announces 1.2 billion records stolen from 420,000 sites via SQLi (Hold Security, 2014) 20
  • 21. “If builders built buildings the way programmers built programs, the first woodpecker to come along would destroy civilization.” - Gerald Weinberg 21
  • 24.  Don’t bolt on security as an afterthought  Integrate security into development process  Repairs = much higher costs  15× more expensive to repair at testing phase  Up to 100× more expensive after deployment (Jones, 1996) 24
  • 26.  Peer code reviews  Involve developers in testing code before release ◦ OWASP Testing Guide ◦ OWASP XSS Filter Evasion Cheat Sheet ◦ Testing for SQL Injection (OWASP-DV-005) ◦ Code analysis tools 26
  • 27.  Use available tools to your advantage ◦ BurpPro—Almost free ◦ OWASP ZAP Proxy ◦ OWASP Xenotix ◦ SoapUI test suite ◦ SANS SWAT Checklist 27
  • 30.  Never trust input from client! ◦ Even if it’s provided automatically by browser  Validation is key ◦ Whitelist – define what’s good, drop everything else  Ex: SSN / Phone / CC# should only be digits  See OWASP XSS & SQLi Prevention Cheat Sheets  Always validate server-side ◦ Client side is easily bypassed 30
  • 31.  Escape untrusted input ◦ If you must accept untrusted input, make sure you render it inert by escaping ( ‘ -> ‘ )  Encode untrusted input before returning to client ◦ <script>alert(1)</script> becomes &lt;script&gt;alert(1)&lt;/script&gt; 31
  • 32.  Set cookies using HttpOnly  Content-Security-Policy header ◦ https://www.owasp.org/index.php/Content_Securit y_Policy 32
  • 33.  Again, never trust input from client, always validate  Always escape or encode dangerous characters if required to process “ - ‘ -- ; ”  Use prepared statements whenever possible  Escape everything!  OWASP SQLi Prevention Cheat Sheet 33
  • 34.  .NET platform ◦ Microsoft Anti-Cross Site Scripting Library  ASP.NET Framework ◦ ValidateRequest()  Java ◦ OWASP ESAPI ◦ OWASP Java Encoder Project  OWASP Encoding Project ◦ Multi-platform: Java, .NET, PHP, Perl, Python, Javascript, ASP, Ruby 34
  • 35.  Secure AppDev starts before code is written  Grow secure developers—peer reviews, cross-training, mentoring  Be Paranoid! Never trust input ◦ Validate, escape, encode  Use available security resources (OWASP, SANS, etc.) 35
  • 36.  SANS Securing Web Application Technologies Checklist ◦ http://www.securingthehuman.org/developer/swat  SANS/MITRE Top 25 Software Errors ◦ http://www.sans.org/top25-software-errors/  OWASP XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_ Cheat_Sheet  OWASP DOM-based XSS Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sh eet  OWASP SQLi Prevention Cheat Sheet ◦ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet  OWASP XSS Filter Evasion Cheat Sheet ◦ https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet  OWASP Cheat Sheets ◦ https://www.owasp.org/index.php/Cheat_Sheets 36
  • 37.  Google Application Security Library – XSS ◦ http://www.google.com/about/appsecurity/learning/xss/  Testing for SQL Injection (OWASP-DV-005) ◦ https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)  Microsoft Anti-Cross Site Scripting Library ◦ http://wpl.codeplex.com/  OWASP Enterprise Security API ◦ https://www.owasp.org/index.php/ESAPI  OWASP Encoding Project ◦ https://www.owasp.org/index.php/Category:OWASP_Encoding_Project  Ruby on Rails Security Basics ◦ https://www.netsparker.com/blog/web-security/ruby-on-rails-security-basics/  Developing Secure Web Application – Cross-Site Scripting ◦ http://www.slideshare.net/codecampiasi/developing-secure-web-application- crosssite-scripting-xss  XSSing Your Way to Shell ◦ https://speakerdeck.com/varbaek/xssing-your-way-to-shell 37
  • 38.  Greenberg, A. (2013, July 31). SQL injection attacks still enable breaches, all these years later. SCMagazine. Retrieved from http://www.scmagazine.com/sql-injection-attacks-still-enable-breaches-all-these-years- later/article/305433/  Hold Security (2014, August 5). You Have Been Hacked Retrieved from http://www.holdsecurity.com/news/cybervor-breach/  IDC. (2011). The Case for Building in Web Application Security from the Start. [White paper]. Retrieved from http://resources.idgenterprise.com/original/AST- 0048510_The_case_for_building_in_web_application_security_from_the_start.PDF  Jones, C. (1996). Applied Software Measurement: Assuring Productivity and Quality. Mcgraw-Hill  Ponemon Institute. (2014) The SQL Injection Threat Study. Retrieved from: http://www.dbnetworks.com/contact/PonemonSQLInjectionThreatSurveyDownload.htm  TippingPoint DVLabs. (2011) 2010 Full Year Top Cyber Security Risks Report. Retrieved from http://dvlabs.tippingpoint.com/img/FullYear2010%20Risk%20Report.pdf  Trustwave. (2013) 2013 Global Security Report. Retrieved from http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf  Verizon. (2013) 2012 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012- ebk_en_xg.pdf 38
  • 39.  msaunders.sec@gmail.com  @hardwaterhacker  Blog: http://hardwatersec.blogspot.com/ 39