Web application security
-
Upload
akash-mahajan -
Category
Technology
-
view
1.252 -
download
2
Transcript of Web application security
Web Application Security
Firewalls will not be able to protect you
Akash Mahajan – Chapter Lead for null Bangalore
What should keep you up at night
• 95% of attacks are against “Web Servers and Web Applications” aka Websites
• The top 3 verticals compromised were Financial Services, Hospitality and Retail.
• More than 60% of attacks were caused by external agents.
• Primary attack vector was SQL Injection and was used to install customized malware.
• Injection Attacks are #1 critical flaw in applications
Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
Web App Attacks • SQL Injection Attacks
• Number plate to foil an automatic license plate scanner!
• An attack which allows SQL to be executed as part of the input.
Web App Attacks • Bobby Tables!
Web App Attacks • XSS was used to get root on a apache.org server in April
2010
• A popular shopping
website used to sell
only books and now
sell other stuff as well.
• That inner window is
an iframe injected in
a simple search
request.
Picture courtesy null Keeda Vulnerability Database
Other Critical Flaws/Attacks
• Cross Site Request Forgery o Attacks the user of the application
• Clickjacking o Facebook Like attack
• Security Mis-configurations o Default passwords in DSL routers
• Insecure Cryptographic Storage o Apache Attack
• Tiny URLs o Employees trust and click on anything!
Solutions/Mitigations
• Training in Secure Coding for Developers
• Code Reviews by competent security folks
• Regular mining of web server logs
• Application Security Practice
• Awareness about new attacks
• Setup a red team in the company
About null
• Null – Indian Open Security Community null.co.in
• Registered non-profit society
• 5 active chapters in India
• We conduct monthly meetings, regular awareness
camps and trainings.
• More than 1000+ security professionals and
enthusiasts in the group.
• Null Keeda Vulnerability Database
http://keeda.nullcon.net
Akash Mahajan
• Chapter Lead of null Bangalore
• Web Security Consultant
• I hack, test, secure web apps and servers
• Help companies become secure on AWS cloud
• Website: akashm.com
• Email: [email protected] / [email protected]
• Twitter: @makash
• Linkedin: www.linkedin.com/in/akashm