OWASP AppSecEU09 Poland 2 Title Content Who am I and what is all this about? How we got here? Spidering, Scrapping, depth web, Harvesting Example So how does it work? How does it relates to security? Examples All you need, nothing you dont. The right solution for the specific scenario. Conclusions
OWASP AppSecEU09 Poland 3 Who am I? What I did Application Developer Linux Administrator (ISP and Portals) Network & Security Engineer Solution Architect and PM Lead Web App. Developments Full time boyfriend Article Objective Expose to the web (and security) community, that a trivial technique as harvesting could be lethal for the online business (the one that pays our bills).
OWASP AppSecEU09 Poland 4 How did we get here? SpideringScrappingHarvesting Origins: Spidering, Search Engines boom. Scrapping: no agreement on what to share. Deep Web definition. Harvesting comes to play.
OWASP AppSecEU09 Poland 5 How does it work? Ingredients: Perform reverse engineering on the target Web Application. Re-create a normal request with a piece of code. Run it with multiple threads. Fast Clicking run them all quick!
OWASP AppSecEU09 Poland 6 How does it relates to security? Social Network Example Brute Force attack Session (cookies) Login portal Subject Oriented SPAM Privacy Disclosure DoS Attacks Storage Exhaustion Request Exhaustion Etc…
OWASP AppSecEU09 Poland 7 How does it relates to security? Airline Example Ratio between search / operations sold will increase. Database off-load or mining. Harvested: Ratio between processing capacity / request and SLOs are lost, $ comes in to the game.
OWASP AppSecEU09 Poland 8 Solutions: All you need, nothing you dont. Token Session + Page Session The server sends a token (created based on the original inputs –aka: credentials, etc) to the user. Regenerates every X seconds/minutes –accommodate this to paranoia- The web servers creates links on the html not based on classic url but using the token and mapping this to the real urls. http://www.foo.com/page.jsp?acc=1000&type=current http://www.foo.com/page.jsp?token=fjweofji235233 Delta between clicks Event Correlation Content Presentation (images) CAPTCHAS Web servers, AJAX makes crawling far more complex Monitoring
OWASP AppSecEU09 Poland 9 Dziekuje! and lets go for a beer….