Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common Web Application Vulnerabilities Know Your Enemy.

Similar presentations

Presentation on theme: "Common Web Application Vulnerabilities Know Your Enemy."— Presentation transcript:

1 Common Web Application Vulnerabilities Know Your Enemy

2 Speakers Jason Chrin Infrastructure Security Jonathan Bailer Code Vulnerability Lawrence Wolfe The Human Factor

3 The State of the Internet - 2014 January – Target: 70 million contact records stolen – Michaels: 2.6 million credit cards stolen May – eBay: 223 million customer accounts stolen June – Evernote: DDoS September – Home Depot: 56 million credit cards stolen – Google: 5 million accounts compromised – Apple: iCloud hacking

4 Motivations Behind Attacks Soucre:


6 Attack Surface The sum of all paths for data/commands into and out of the application The code that protects these paths All valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and Personally Identifiable Information The code that protects this data

7 Limiting your Attack Surface Warner Bros. Pictures 2006

8 Limiting your Attack Surface Build and maintain a secure network Data Security Policies Encryption and secure transmission

9 Attack Type 1: Port Scanning Attacker attempts to connect to various ports on your networks Tries to determine what is open on the network and can be used as an entry vector

10 Firewall – external access The front door to your application Only open access that is needed Only allow ingress from known locations

11 Firewall – internal access DMZ Network Segmentation Application firewalls

12 Attack Type 2: Eavesdropping Source:

13 Data Security Types of sensitive data 1.Regulated Financial Information Healthcare Information 2.Unregulated Proprietary Information Confidential Information

14 How to Handle Your Data Securely store data – use encryption Only store what data is needed Limit Access to data Encrypted transmission - SSL

15 Attack Type 3: Password Attacks Brute force attacks Info gained from Eavesdropping Default credential attempts

16 Secure Access Remote access over secure channels – VPN – SSL connections Authentication – Unique credentials for each user – Strong password policy – Multi Factor Authentication

17 What is MFA? Possession Factor – something user has Knowledge Factor – something user knows Inherence Factor – something the user is

18 Logging Access Logging for system connections Application level Logging Log monitoring software

19 Attack type 4: Application Layer Attack Targets application servers looking for OS or application faults Bypass normal access controls Gains Elevated privileges

20 Patch Management OS Updates Application Updates AV / Malware Definitions

21 Active Scanning Anti-Virus – Protects against malicious code Malware – Annoyance programs that may offer back door to attacks Intrusion Detection – Automated monitoring for suspicious activity Penetration Testing

22 Attack Type 5: Man in the Middle Source:

23 Preventing Man in the Middle Use strong encryption for communication Segregate production networks

24 Be Diligent This is just a start New exploits found daily Review your logs and procedures External auditing


26 What does code vulnerability mean? Flaw or oversight in an application allowing unauthorized or unintended use

27 Types of code vulnerabilities Injection Cross-site scripting (XSS) Cross-site request forgery (CSRF) Information leakage

28 Injection - What is it? Processing of invalid data changing the course of execution – Arbitrary modification of data – Installation of malware – Privilege escalation – HTML/Script injection

29 Injection – How does it work?

30 Injection - Example


32 Injection – Types SQL Injection HTML Script Injection Dynamic Evaluation Vulnerability Object injection (serialization) Remote File Injection Shell Injection

33 Injection – Prevention Whitelist input

34 Injection – Prevention Whitelist input Sanitize input

35 Injection – Prevention Whitelist input Sanitize input Parameterization

36 Cross-site Scripting – What is it? Injecting client-side script into Web pages viewed by other users

37 Cross-site Scripting – Example

38 Cross-site Scripting – Types Non-Persistent – Query string, post data, etc. (e.g. search results) Persistent – Database or file changes (e.g. comments) DOM-based – Runs entirely in the client

39 Cross-site Scripting - Prevention Sanitize user input and output that is based on user created content Top-down testing and analysis of client side scripts

40 Cross-site Request Forgery – What is it? Causing a user’s browser to perform an unwanted action on a trusted site for which the user is authenticated. A form of the confused deputy problem.

41 Cross-site Request Forgery – Example

42 Cross-site Request Forgery – Prevention Synchronizer token pattern Cookie-to-header Token

43 Information Leakage – What is it? Application unintentionally revealing sensitive information – System/environment configuration – User information – etc.

44 Information Leakage – What is it? Comments visible in response data Overly detailed error information Difference in behavior

45 Information Leakage – Example

46 Information Leakage – Example

47 Information Leakage - Prevention Parse errors before display Remove debugging information from production Always be aware of what your application’s behavior reveals

48 THE HUMAN FACTOR Know Your Enemy

49 The Human Factor: Code Review Source: SmartBear

50 The Human Factor: Code Review Source: SmartBear

51 The Human Factor: Code Review What if?

52 The Human Factor: Code Review What if… …one of those bugs is a security vulnerability that exposes customer data?

53 The Human Factor: Code Review What if… …one of those bugs is a security vulnerability that exposes customer data? Labor + Damages = $$$ Millions? Billions?

54 The Human Factor: Code Review Self audit through annotation & peer review – Less defects, better performing code – Reduces chance of vulnerable code making it to production – Go from as strong as your weakest link to as good as the best on your team – Reduce technical debt – Continuous education Tools – SmartBear Collaborator, Atlassian Crucible

55 The Human Factor: Source Control

56 Source Control – Beyond version management and feature development – Enables code collaboration and vulnerability prevention – Merge workflow, feature/module branches – Git - BitBucket, Github + Console, SourceTree, VS Automated Builds – Continuous Integration – Code Standards, Static Analysis – Reduces potential for introducing insecure configurations – Empowers team and individual accountability – Tools Jenkins, Team Foundation Server, Travis CI (cloud)

57 The Human Factor: Sensitive Data

58 Obfuscated, Masked and Mock Data – Limit developer access to production data when possible ex. employee, customer and financial data – Development data sources should not contain real data – Use mock data for test driven development – Tools SQL: redgate SQL Data Generator ruby: Faker::HipsterIpsum

59 The Human Factor: Modular Dev

60 For large projects and teams, isolate risks with modular development Architect for modular development. ex. SOA, libraries, packages, gems Developer only needs access to build specific components

61 The Human Factor: Social Hacking

62 Phishing – Common behaviors Spear Phishing – Specific target Impersonation - “Service Desk”

63 Thank You! Q&A

Download ppt "Common Web Application Vulnerabilities Know Your Enemy."

Similar presentations

Ads by Google