O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
Breaching a Web Application - Common Issues and Mitigating Steps
It seems like every day that another company's logo is plastered across the media and they have lost thousands, if not millions of customer records. This kind of data loss is damaging to a company's reputation and their customers have little control of their private information. Attackers often want this data for financial gain or to embarrass that company. There are several methods a malicious attacker will use to gain access to this data. Injection-based attacks leverage an application's lack of input validation to extract information and allow for unauthorized data access. In addition, the platform on which the application resides can be leveraged to gain unauthorized admin access and ultimately, data access. Both scenarios will be discussed and demonstrated in this talk. Finally, mitigating steps will be discussed at every level of the attack. The approach will be a defense in depth model that will proactively protect a web application. While there is no silver bullet against a determined attacker, these mitigations will make their lives more difficult.
◉Provides free documentation on offensive and
defensive application measures
◉Curated “OWASP Top Ten” Vulnerabilities
◉OWASP Web Testing Guide
◉Contains material for:
◉Occurs when unintended data is sent to an
◉Proper input validation / server-side validation
is not being performed
◉A dynamically built query can be altered to
execute arbitrary calls or requests
◉Common Types of Injection
◉Software Assurance Maturity Model
◉Integrating Assessment and Review Activities
throughout your SDLC
◉Based on your organization’s security drivers
Source code reviews
that are incorporated
A Note About
Assessment of the final
solution in an
◉OWASP has language specific recommendations
◉Input Validation – White Listing
◉Escaping User Input
◉Review of all technologies in the stack
◉Implement available hardening guides
◉Have your solution dynamically tested
Any questions ?
You can find me at
◉ Slides posted at: