SlideShare uma empresa Scribd logo

Web Servislerinin Hacklenmesi, Ömer Çıtak

Netsparker Türkiye
Netsparker Türkiye

This document provides an overview of web service hacking presented by Ömer Çıtak at BILMÖK in 2017. It begins with introductions and then defines key vocabulary related to APIs, REST, authentication methods, and status codes. It also lists the OWASP Mobile Top 10 security risks and provides brief explanations of "Insecure Data Storage", "Insecure Communication", and other categories. Screenshots are included from a demo on RESTful routes. The presentation emphasizes the importance of security when developing web services and APIs.

Tecnologia
1 de 24
Baixar para ler offline
Web Servislerinin Hacklenmesi Ömer Çıtak XIII. BiLMÖK, 2017
whoami Security Researcher @ Netsparker Ltd. Developer @ Another Times Writer @ Ethical Hacking “Offensive & Defensive” Book Blog: omercitak.com All Social Platform: @Om3rCitak
http
?
apple
http web service
vocabulary ● API => Application Programing Interface
vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer
vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful
vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE
vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route
vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route ● Basic Authentication
vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route ● Basic Authentication ● 200, 201, 400, 401 etc...
vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route ● Basic Authentication ● 200, 201, 400, 401 etc… ● Proxy
restful routes
OWASP Mobile Top 10 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality
OWASP Mobile Top 10 Insecure Data Storage This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.
OWASP Mobile Top 10 Insecure Communication This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.
OWASP Mobile Top 10 Insecure Authentication This category captures notions of authenticating the end user or bad session management. This can include: ● Failing to identify the user at all when that should be required ● Failure to maintain the user's identity when it is required ● Weaknesses in session management
OWASP Mobile Top 10 Insufficient Cryptography The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.
OWASP Mobile Top 10 Insecure Authorization This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).
demo
where is the güvenlik?
thanks www.omercitak.com All Social Platform: @Om3rCitak

Recomendados

Laravel ile hızlı ve modern web programlama
Laravel ile hızlı ve modern web programlamaLaravel ile hızlı ve modern web programlama
Laravel ile hızlı ve modern web programlamaÖmer Çıtak
 
Is your app secure
Is your app secureIs your app secure
Is your app secureChathuranga Bandara
 
Django Intro
Django IntroDjango Intro
Django IntroLoren Davie
 
Introduction to Django REST Framework
Introduction to Django REST FrameworkIntroduction to Django REST Framework
Introduction to Django REST FrameworkAmitHadole
 
Hundreds of Microservices without Breaking Your APIs
Hundreds of Microservices without Breaking Your APIsHundreds of Microservices without Breaking Your APIs
Hundreds of Microservices without Breaking Your APIsPronovix
 
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...Shem Magnezi
 
GraphQL vs BFF: A critical perspective
GraphQL vs BFF: A critical perspectiveGraphQL vs BFF: A critical perspective
GraphQL vs BFF: A critical perspectivePronovix
 
Migration from Django to Ember
Migration from Django to EmberMigration from Django to Ember
Migration from Django to EmberLaura Berk
 

Recomendados

Laravel ile hızlı ve modern web programlama
Laravel ile hızlı ve modern web programlamaLaravel ile hızlı ve modern web programlama
Laravel ile hızlı ve modern web programlamaÖmer Çıtak
 
Is your app secure
Is your app secureIs your app secure
Is your app secureChathuranga Bandara
 
Django Intro
Django IntroDjango Intro
Django IntroLoren Davie
 
Introduction to Django REST Framework
Introduction to Django REST FrameworkIntroduction to Django REST Framework
Introduction to Django REST FrameworkAmitHadole
 
Hundreds of Microservices without Breaking Your APIs
Hundreds of Microservices without Breaking Your APIsHundreds of Microservices without Breaking Your APIs
Hundreds of Microservices without Breaking Your APIsPronovix
 
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...
“Micro Frontends”- You Keep Using That Word, I Don’t Think It Means What You ...Shem Magnezi
 
GraphQL vs BFF: A critical perspective
GraphQL vs BFF: A critical perspectiveGraphQL vs BFF: A critical perspective
GraphQL vs BFF: A critical perspectivePronovix
 
Migration from Django to Ember
Migration from Django to EmberMigration from Django to Ember
Migration from Django to EmberLaura Berk
 
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer ÇıtakLaravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer ÇıtakNetsparker Türkiye
 
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer ÇıtakOWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer ÇıtakNetsparker Türkiye
 
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileri
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme TeknolojileriBilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileri
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileriİbrahim KIVANÇ
 
Web Sunucularına Yönelik DDoS Saldırıları
Web Sunucularına Yönelik DDoS SaldırılarıWeb Sunucularına Yönelik DDoS Saldırıları
Web Sunucularına Yönelik DDoS SaldırılarıBGA Cyber Security
 
Scholars@Cornell: Visualizing the scholarly record
Scholars@Cornell: Visualizing the scholarly recordScholars@Cornell: Visualizing the scholarly record
Scholars@Cornell: Visualizing the scholarly recordMuhammad Javed
 
The Costly Mistakes Companies Make When Implementing Inbound Marketing
The Costly Mistakes Companies Make When Implementing Inbound MarketingThe Costly Mistakes Companies Make When Implementing Inbound Marketing
The Costly Mistakes Companies Make When Implementing Inbound MarketingStoryTeller Media + Communications
 
1.4.2 Профессиональный электромонтаж ДКС
1.4.2 Профессиональный электромонтаж ДКС1.4.2 Профессиональный электромонтаж ДКС
1.4.2 Профессиональный электромонтаж ДКСIgor Golovin
 
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)Albert Riba Trullols
 
Collaborative Sketching for Secure & Usable Apps
Collaborative Sketching for Secure & Usable AppsCollaborative Sketching for Secure & Usable Apps
Collaborative Sketching for Secure & Usable AppsRobert Stribley
 
Do You Know the Benefits of Using Healthcare And Fitness Apps
Do You Know the Benefits of Using Healthcare And Fitness AppsDo You Know the Benefits of Using Healthcare And Fitness Apps
Do You Know the Benefits of Using Healthcare And Fitness AppsRapidsoft Technologies
 
Nordic Open Access Policies
Nordic Open Access PoliciesNordic Open Access Policies
Nordic Open Access PoliciesLIBER Europe
 
Ten Phase History of Indo Pak Muslims
Ten Phase History of Indo Pak MuslimsTen Phase History of Indo Pak Muslims
Ten Phase History of Indo Pak MuslimsAgha A
 
Nowoczesne zarządzanie strategiczne
Nowoczesne zarządzanie strategiczneNowoczesne zarządzanie strategiczne
Nowoczesne zarządzanie strategiczneRobert Loranc
 
Writing Groups in Language Teaching
Writing Groups in Language Teaching Writing Groups in Language Teaching
Writing Groups in Language Teaching Malu Sciamarelli
 
Character home debate 2017 - Bryn Davidson
Character home debate 2017 - Bryn DavidsonCharacter home debate 2017 - Bryn Davidson
Character home debate 2017 - Bryn DavidsonBryn Davidson
 
Leveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationLeveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationJeremy Hutchinson
 
Dayclic 09 mars 2017 HumaNum Loire nantes
Dayclic 09 mars 2017 HumaNum Loire nantesDayclic 09 mars 2017 HumaNum Loire nantes
Dayclic 09 mars 2017 HumaNum Loire nantesBourrion Daniel
 
それPhpStormで出来るよ #phpstudy
それPhpStormで出来るよ #phpstudyそれPhpStormで出来るよ #phpstudy
それPhpStormで出来るよ #phpstudy晃 遠山
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 

Mais conteúdo relacionado

Destaque

Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer ÇıtakLaravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer ÇıtakNetsparker Türkiye
 
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer ÇıtakOWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer ÇıtakNetsparker Türkiye
 
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileri
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme TeknolojileriBilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileri
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileriİbrahim KIVANÇ
 
Web Sunucularına Yönelik DDoS Saldırıları
Web Sunucularına Yönelik DDoS SaldırılarıWeb Sunucularına Yönelik DDoS Saldırıları
Web Sunucularına Yönelik DDoS SaldırılarıBGA Cyber Security
 
Scholars@Cornell: Visualizing the scholarly record
Scholars@Cornell: Visualizing the scholarly recordScholars@Cornell: Visualizing the scholarly record
Scholars@Cornell: Visualizing the scholarly recordMuhammad Javed
 
The Costly Mistakes Companies Make When Implementing Inbound Marketing
The Costly Mistakes Companies Make When Implementing Inbound MarketingThe Costly Mistakes Companies Make When Implementing Inbound Marketing
The Costly Mistakes Companies Make When Implementing Inbound MarketingStoryTeller Media + Communications
 
1.4.2 Профессиональный электромонтаж ДКС
1.4.2 Профессиональный электромонтаж ДКС1.4.2 Профессиональный электромонтаж ДКС
1.4.2 Профессиональный электромонтаж ДКСIgor Golovin
 
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)Albert Riba Trullols
 
Collaborative Sketching for Secure & Usable Apps
Collaborative Sketching for Secure & Usable AppsCollaborative Sketching for Secure & Usable Apps
Collaborative Sketching for Secure & Usable AppsRobert Stribley
 
Do You Know the Benefits of Using Healthcare And Fitness Apps
Do You Know the Benefits of Using Healthcare And Fitness AppsDo You Know the Benefits of Using Healthcare And Fitness Apps
Do You Know the Benefits of Using Healthcare And Fitness AppsRapidsoft Technologies
 
Nordic Open Access Policies
Nordic Open Access PoliciesNordic Open Access Policies
Nordic Open Access PoliciesLIBER Europe
 
Ten Phase History of Indo Pak Muslims
Ten Phase History of Indo Pak MuslimsTen Phase History of Indo Pak Muslims
Ten Phase History of Indo Pak MuslimsAgha A
 
Nowoczesne zarządzanie strategiczne
Nowoczesne zarządzanie strategiczneNowoczesne zarządzanie strategiczne
Nowoczesne zarządzanie strategiczneRobert Loranc
 
Writing Groups in Language Teaching
Writing Groups in Language Teaching Writing Groups in Language Teaching
Writing Groups in Language Teaching Malu Sciamarelli
 
Character home debate 2017 - Bryn Davidson
Character home debate 2017 - Bryn DavidsonCharacter home debate 2017 - Bryn Davidson
Character home debate 2017 - Bryn DavidsonBryn Davidson
 
Leveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationLeveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationJeremy Hutchinson
 
Dayclic 09 mars 2017 HumaNum Loire nantes
Dayclic 09 mars 2017 HumaNum Loire nantesDayclic 09 mars 2017 HumaNum Loire nantes
Dayclic 09 mars 2017 HumaNum Loire nantesBourrion Daniel
 
それPhpStormで出来るよ #phpstudy
それPhpStormで出来るよ #phpstudyそれPhpStormで出来るよ #phpstudy
それPhpStormで出来るよ #phpstudy晃 遠山
 

Destaque (18)

Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer ÇıtakLaravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
 
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer ÇıtakOWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
 
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileri
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme TeknolojileriBilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileri
Bilmök 2017 - Microsoft Yeni Yesil Yazilim Geliştirme Teknolojileri
 
Web Sunucularına Yönelik DDoS Saldırıları
Web Sunucularına Yönelik DDoS SaldırılarıWeb Sunucularına Yönelik DDoS Saldırıları
Web Sunucularına Yönelik DDoS Saldırıları
 
Scholars@Cornell: Visualizing the scholarly record
Scholars@Cornell: Visualizing the scholarly recordScholars@Cornell: Visualizing the scholarly record
Scholars@Cornell: Visualizing the scholarly record
 
The Costly Mistakes Companies Make When Implementing Inbound Marketing
The Costly Mistakes Companies Make When Implementing Inbound MarketingThe Costly Mistakes Companies Make When Implementing Inbound Marketing
The Costly Mistakes Companies Make When Implementing Inbound Marketing
 
1.4.2 Профессиональный электромонтаж ДКС
1.4.2 Профессиональный электромонтаж ДКС1.4.2 Профессиональный электромонтаж ДКС
1.4.2 Профессиональный электромонтаж ДКС
 
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)
Las 52 columnas de opinión en Expansión (Setiembre 2012-Febrero 2018)
 
Collaborative Sketching for Secure & Usable Apps
Collaborative Sketching for Secure & Usable AppsCollaborative Sketching for Secure & Usable Apps
Collaborative Sketching for Secure & Usable Apps
 
Do You Know the Benefits of Using Healthcare And Fitness Apps
Do You Know the Benefits of Using Healthcare And Fitness AppsDo You Know the Benefits of Using Healthcare And Fitness Apps
Do You Know the Benefits of Using Healthcare And Fitness Apps
 
Nordic Open Access Policies
Nordic Open Access PoliciesNordic Open Access Policies
Nordic Open Access Policies
 
Ten Phase History of Indo Pak Muslims
Ten Phase History of Indo Pak MuslimsTen Phase History of Indo Pak Muslims
Ten Phase History of Indo Pak Muslims
 
Nowoczesne zarządzanie strategiczne
Nowoczesne zarządzanie strategiczneNowoczesne zarządzanie strategiczne
Nowoczesne zarządzanie strategiczne
 
Writing Groups in Language Teaching
Writing Groups in Language Teaching Writing Groups in Language Teaching
Writing Groups in Language Teaching
 
Character home debate 2017 - Bryn Davidson
Character home debate 2017 - Bryn DavidsonCharacter home debate 2017 - Bryn Davidson
Character home debate 2017 - Bryn Davidson
 
Leveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationLeveraging Azure Search in Your Application
Leveraging Azure Search in Your Application
 
Dayclic 09 mars 2017 HumaNum Loire nantes
Dayclic 09 mars 2017 HumaNum Loire nantesDayclic 09 mars 2017 HumaNum Loire nantes
Dayclic 09 mars 2017 HumaNum Loire nantes
 
それPhpStormで出来るよ #phpstudy
それPhpStormで出来るよ #phpstudyそれPhpStormで出来るよ #phpstudy
それPhpStormで出来るよ #phpstudy
 

Semelhante a Web Servislerinin Hacklenmesi, Ömer Çıtak

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 

Semelhante a Web Servislerinin Hacklenmesi, Ömer Çıtak (20)

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 

Último

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Web Servislerinin Hacklenmesi, Ömer Çıtak

  • 2. whoami Security Researcher @ Netsparker Ltd. Developer @ Another Times Writer @ Ethical Hacking “Offensive & Defensive” Book Blog: omercitak.com All Social Platform: @Om3rCitak
  • 4. ?
  • 7. vocabulary ● API => Application Programing Interface
  • 8. vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer
  • 9. vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful
  • 10. vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE
  • 11. vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route
  • 12. vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route ● Basic Authentication
  • 13. vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route ● Basic Authentication ● 200, 201, 400, 401 etc...
  • 14. vocabulary ● API => Application Programing Interface ● REST => REpresentational State Transfer ● RESTful => REpresentational State Transfer ful ● GET, POST, PATCH/PUT, OPTIONS, DELETE ● Route ● Basic Authentication ● 200, 201, 400, 401 etc… ● Proxy
  • 16. OWASP Mobile Top 10 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality
  • 17. OWASP Mobile Top 10 Insecure Data Storage This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.
  • 18. OWASP Mobile Top 10 Insecure Communication This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.
  • 19. OWASP Mobile Top 10 Insecure Authentication This category captures notions of authenticating the end user or bad session management. This can include: ● Failing to identify the user at all when that should be required ● Failure to maintain the user's identity when it is required ● Weaknesses in session management
  • 20. OWASP Mobile Top 10 Insufficient Cryptography The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.
  • 21. OWASP Mobile Top 10 Insecure Authorization This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).
  • 22. demo
  • 23. where is the güvenlik?