SlideShare a Scribd company logo

Injection flaws

Download as PPTX, PDF
DANISH INAMDAR
DANISH INAMDAR

As long as code and data cannot be distinguished by machines, Injection attacks will prevail. Injection flaws are very prevalent, particularly in legacy code. Injection flaws occur when an application sends untrusted data to an interpreter. This talk will focus on different injection flaws, challenges associated with it and possible ways to mitigate it.

Presentations & Public Speaking
1 of 22
INJECTION FLAWS DANISH INAMDAR Security Researcher
What are Injection Flaws??  Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context.  Weakness in an application whereby foreign input subverts the otherwise legitimate use of a subsystem.  Injection flaws allow attackers to relay malicious code through an application to another system
Is Your Web App Vulnerable to Injection?  User Supplied data is not validated , filtered or sanitized by Application.  Hostile data is supplied directly to dynamic queries or non parameterized calls for the interpreter without context-aware escaping.  Hostile data is used with ORM search parameters such that search evaluates out to include sensitive or all records.
Different types of Injection flaws Different subsystems == Different flaws  SQL Injection  Command Injection  HTML Injection  LDAP Injection  XML Injection  IMAP/SMTP Injection
SQL Injection: Database Query  Dynamic script to look into database  “Direct” access to database  Possible to issue CRUD statements and many more….
SQL Injection : Query database
Command Injection  Web application performs operating system tasks  Execute external programs/script  List files etc. ping –c <user_input> Protection using Command Execution API os.system(ping –c 127.0.0.1)
HTML Injection  Possible to include HTML Tags like iframe , fake forms, XSS also possible….  Can be used in phishing attacks
XML Injection  Web App talks to backend web services  Web app’s logic converts parameter’s to XML web services (as SOAP,…)
XML Injection
LDAP Injection  Lightweight Directory Access protocol  It is used to access information directories like users, user information, software, computers.
LDAP Injection  Insert Special characters like(*,|,&,…) leading to exposure of user’s confidential data
IMAP/SMTP Injection  This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications.  We need to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
State of Web framework Security  Anti CSRF tokens – can easily turned off/miss-configurations  Templates escapes user input – just HTML escape ->XSS  Uses ORM – SQLi still possible https://rails-sqli.org/  We need to use secure APIs or write secure code
Can WAF solve the problem?  Web Application Firewalls are for Attack Detection and Prevention  Most of WAFs use blacklists. No vulnerability detection.
Protect Exploitation : RASP Runtime Application Self Protection • Detect both Attacks and Vulnerability • No Hardware Requirements • Inject Security at Runtime • Applies defense inside the application • Zero code Modification and Easy Integration • No use of Blacklists
RASP by API Instrumentation and Dynamic White-list  Monkey Patching  Lexical Analysis and Token Generation  Context Determination
Challenges  Ideal RASP should have minimum performance impact.  Need to do adapt more secure techniques in combination with RASP.  Minimal configuration and Easy Deployment.  Implementing Preventing measures to avoid session Hijacking, Credentials etc.
Thank You

Recommended

Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Mark Thalib
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 

Recommended

Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Mark Thalib
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
Secure Code Warrior
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
Akansha Kesharwani
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
Cahyo Darujati
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Securing Remote Access
Securing Remote AccessSecuring Remote Access
Securing Remote Access
Granbury Solutions
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
Sumedt Jitpukdebodin
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
amiable_indian
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 

More Related Content

What's hot

Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 

What's hot (20)

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Securing Remote Access
Securing Remote AccessSecuring Remote Access
Securing Remote Access
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
 

Similar to Injection flaws

How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 

Similar to Injection flaws (20)

OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Application Attacks & Application Layer Attacks
Application Attacks & Application Layer AttacksApplication Attacks & Application Layer Attacks
Application Attacks & Application Layer Attacks
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Injection attacks
Injection attacksInjection attacks
Injection attacks
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
IRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability ScannerIRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability Scanner
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 

Recently uploaded

Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Delhi Call girls
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 

Recently uploaded (18)

My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 

Injection flaws

  • 2. What are Injection Flaws??  Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context.  Weakness in an application whereby foreign input subverts the otherwise legitimate use of a subsystem.  Injection flaws allow attackers to relay malicious code through an application to another system
  • 3. Is Your Web App Vulnerable to Injection?  User Supplied data is not validated , filtered or sanitized by Application.  Hostile data is supplied directly to dynamic queries or non parameterized calls for the interpreter without context-aware escaping.  Hostile data is used with ORM search parameters such that search evaluates out to include sensitive or all records.
  • 4. Different types of Injection flaws Different subsystems == Different flaws  SQL Injection  Command Injection  HTML Injection  LDAP Injection  XML Injection  IMAP/SMTP Injection
  • 5. SQL Injection: Database Query  Dynamic script to look into database  “Direct” access to database  Possible to issue CRUD statements and many more….
  • 6. SQL Injection : Query database
  • 7. Command Injection  Web application performs operating system tasks  Execute external programs/script  List files etc. ping –c <user_input> Protection using Command Execution API os.system(ping –c 127.0.0.1)
  • 8. HTML Injection  Possible to include HTML Tags like iframe , fake forms, XSS also possible….  Can be used in phishing attacks
  • 9. XML Injection  Web App talks to backend web services  Web app’s logic converts parameter’s to XML web services (as SOAP,…)
  • 11. LDAP Injection  Lightweight Directory Access protocol  It is used to access information directories like users, user information, software, computers.
  • 12. LDAP Injection  Insert Special characters like(*,|,&,…) leading to exposure of user’s confidential data
  • 13. IMAP/SMTP Injection  This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications.  We need to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
  • 14. State of Web framework Security  Anti CSRF tokens – can easily turned off/miss-configurations  Templates escapes user input – just HTML escape ->XSS  Uses ORM – SQLi still possible https://rails-sqli.org/  We need to use secure APIs or write secure code
  • 15. Can WAF solve the problem?  Web Application Firewalls are for Attack Detection and Prevention  Most of WAFs use blacklists. No vulnerability detection.
  • 16. Protect Exploitation : RASP Runtime Application Self Protection • Detect both Attacks and Vulnerability • No Hardware Requirements • Inject Security at Runtime • Applies defense inside the application • Zero code Modification and Easy Integration • No use of Blacklists
  • 17. RASP by API Instrumentation and Dynamic White-list  Monkey Patching  Lexical Analysis and Token Generation  Context Determination
  • 18.
  • 19.
  • 20.
  • 21. Challenges  Ideal RASP should have minimum performance impact.  Need to do adapt more secure techniques in combination with RASP.  Minimal configuration and Easy Deployment.  Implementing Preventing measures to avoid session Hijacking, Credentials etc.