Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Published byAnabel Morton Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix."— Presentation transcript:

1 Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix Systems http://www.MadIrish.net Twitter: MadIrish2600

2 Overview About your site, from evil eyes Attacker objective Means of attack Motive Why this stuff works What you can do

3 Erroneous Assumptions “I'm running a small site, who would want to hack it?” “I back everything up nightly, at most I'll only lose a days worth of stuff.” “I'm the only one with admin rights, so it's not an issue.” “It doesn't matter if the site goes down from time to time.” Your data isn't necessarily what an attacker wants!

4 Risk Analysis Risk is often calculated as:  Threat x Impact x Likelihood Unfortunately quantifying “threat” is almost impossible Likelihood is also tough to gauge Impact we can do though (maybe)

5 Objectives First the obvious ones:  p0wn your box3n  Deface your website  Abuse your e-commerce  Steal your data  Account access

6 Objectives (cont.) Less obvious:  Black hat SEO  Bandwidth (botnets) Spam Phishing Fast flux DNS  Hosting Drive by download RFI  Click fraud

7 Objectives (cont.) Ultimately you can never predict!

8 Means Script injection (user trust exploitation)  Stored and reflected XSRF (application trust exploitation) SQL Injection Account compromise  Brute force  Session flaws  Social engineering

9 Means (cont.) Privilege escalation Social engineering  Trust exploitation (content) Information disclosure Code execution Application exploitation  When features become flaws Access control bypass

10 Means (cont.) 10 years ago XSS wasn't a threat New means emerge regularly

11 Motive Prestige Money Political The world may never know...

12 Why hacking works Security is a specialization Security is an evolving, moving target No easy way to automate vulnerability detection Web app attacks don't require proximity Your site is always on You have to be right 100% of the time, the bad guys not so much

13 Unfortunately Software security flaws are inevitable Studies show a certain number of bugs per X lines of code A percentage of bugs will be security related

14 A Word... Open source vs. closed source  No matter what anyone tells you, neither is more secure Check out Verscode's analysis:  http://www.veracode.com/reports/index. html http://www.veracode.com/reports/index. html Closed source does put more onus on the vendor though

15 Roots of the Problem Mixing data with code  HTML is inherently flawed in this respect  Where does display stop and execution begin? Input validation Output validation It's usually easier to do things in an unsafe way

16 Emerging Sources of Vulnerability The web is evolving! Flash or other animation AJAX Remote data sources, API's and interoperability New platforms, code, and technology New programmers

17 Learn to Commit to an application lifecycle  Security is an ongoing process  Plan for vulnerabilities, and patches! Be sure your code evolves as threats do Keep your components up to date Use all the security tools of the stack  Database, filesystem, operating system, etc.

18 Learn to Protect, detect, react  If you can't prevent, log!  Segregate your detection mechanisms KISS  Complexity is the enemy of security Enforce permissions  You are using permissions right?  Privilege separations and privilege enforcement

19 Extend your Security Bake security in (from the start) Add security on  Use additions like: IDS Web application firewall IPS Encryption Code review and penetration testing etc.

20 Questions Thanks! Justin@MadIrish.net

Download ppt "Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts.

Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)

Spotting Web Vulnerabilities (from the eyes of an Script Kiddie)
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.

Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google